Shulou(Shulou.com)06/01 Report--

Topic Tip:

1. Again your mission is to extract an md5 password hash out of the database.

You need to get the password information in the database, and the password is encrypted by MD5.

2. This time your limit for this blind sql injection are 33 queries.

It can be injected up to 33 times.

3. Also you have to accomplish this task 3 times consecutively, to prove you have solved the challenge.

I can't believe you have to do it three times in a row to be successful, why. Why. no, no, no. Why. no, no, no.

4. You can view some of the key source code, but the note point is the same sentence:

$query = "SELECT 1 FROM (SELECT password FROM blight WHERE sessid=$sessid) b WHERE password='$password'"

There is a time limit:

/ * Check if you were too slow. * @ return true | false * / function blightTimeout () {if (false = ($start = GWF_Session::getOrDefault ('BLIGHT2_TIME_START', false) {return true;} else {return (time ()-$start) > BLIGHT2_TIME;}}

As a matter of fact, this is indeed the case, and if it takes a little longer, it will suggest that it is too slow and have to start all over again.

Solve the problem:

Looking at other people's writeup, it is mentioned that it can be judged by the sleep function and then based on the response time.

'or sleep (ord (substr (password,1,1)

After an experiment, the ascii code is used to judge that the influence time is too long. Because the characters are limited to 0-9 Magi Amurf this time, the above judgment sentence is changed to the following. Later, it is found that there is not enough time, so in addition to a 2, as for why you subtract 46 here, think for yourselves. Haha, I feel that 46 is the most appropriate:

'or sleep ((ord (substr (password,1,1))-46) / 2) #

OK, successful injection, then how to determine the delay time, then you need to go through the firefox firebug plug-in, F12 open furebug, select the network tab, select HTML and keep the two options, choose to keep is to save the history after a unified view, so you can improve speed, clear the option is to clear the history.

Okay, here we go:

1. Reset title execute a reset

two。 Clear firebug History

3. Inject from the first character to the thirty-second

4. Check the response time after each injection in firebug in turn, and notice to move the mouse over the timeline to see the last time to accept data on the pop-up window. How to choose the decimal place of time? Take 0.5 as a unit, more than part of the rounding off, for example, 0.76 is considered to be 0.5

5. Prepare the excel table in advance and calculate the char (x = 2 / 4 / 46). The response time is x

6. OK, sort out the data and submit it, whether the prompt is successful or not. Repeat the steps two more times and the problem is solved.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.