Tags:流量分析,SQL注入,pyshark,正则匹配
0x00. 题目
附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件
附件名称:202109_鹤城杯_SQL注入.zip
0x01. WP1
浏览了所有http请求发现为最常规的SQL注入流量,即逐个爆破字符串,爆破成功后再爆破下一个
1. 筛选所有爆破请求
http.request.uri contains "/ctf/Less-5/?id=1'%20and%20ascii(substr((select%20flag%20from%20t)" && ip.src == 192.168.246.23
2. 使用python脚本对每一行数据进行正则匹配
exp1.py
import rea=[]
with open("sqli","rb") as f:for i in f.readlines():if b"flag" in i:a.append(i.strip())
lastIndex=0
flag=""for i in a:strIndex=re.findall(r"\),.+,1\)\)",i.decode())[0][2:-4]strASC=re.findall(r"\)\)=.+\-\-\+",i.decode())[0][3:-3]# print(strIndex,strASC)if strIndex != lastIndex:flag=flag+chr(int(strASC))lastIndex=strIndexelse:flag = flag[:-1] + chr(int(strASC))print(flag)
# flag{w1reshARK_ez_1sntit}~~~~<
0x02. WP2
直接使用pyshark库遍历并正则匹配,直接得出结果
exp2.py
import pyshark
import re
import urllib.parsestrTsharkPath = "C:\\Program Files\\Wireshark"
strCapPath = "sqli_normal.pcapng"
strFomula="http.request.method==GET"
# 经分析有效响应包的tcp长度均为912,因此以此为筛选条件找到对应response_for_uri即可
strFomula="tcp.len==912"cap= pyshark.FileCapture(strCapPath, display_filter=strFomula,tshark_path=strTsharkPath)# 协议结构分析开始
print("协议结构分析开始...")
i=0
for layer in cap[1].layers:print("第",i+1,"层:",layer.layer_name)print(layer.field_names)i+=1
print("协议结构分析完成。")
print("=" * 16)strURI=""
lstRequest=[]
flag=""
# 从流量包中提取有效请求列表
for pkt in cap:strURI=pkt.layers[3].get_field_value("response_for_uri")lstRequest.append(strURI)# 正则匹配并解码
for strRequest in lstRequest:matchObj = re.search(r'''ascii\(substr\(\(select flag from t\),(.*?),1\)\)=(.*?)--+''', urllib.parse.unquote(strRequest))# print(matchObj[1],matchObj[2])flag+=chr(int(matchObj[2]))print(flag)# flag{w1reshARK_ez_1sntit}~~~~<
0x03. WP3
在导出对象菜单下直接查看http请求,并按大小进行排列,直接用alt+数字打出flag
