Posts 日志分析
Post
Cancel

日志分析

0x0 题目

BugkuCTF 日志分析

0x1 分析

head access.log

粗看文件内容是进行本地SQL盲注,并且日志格式规范,大致想法也就是进行格式匹配输出

cat access.log | grep flag > flag

果然出现dvwa.flag_is_here字段,经过URL解码后我们明显可以看出是字符暴力破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from urllib import parse
import os

os.system("cat access.log | grep flag | grep -v 404 | awk -F '\"' '{print $2}' > flag")

with open('flag1','w',encoding='utf-8') as f1:
  with open('flag',encoding='utf-8') as f2:
    while True:
      tmp = f2.read()
      if tmp:
        tmp = parse.unquote(tmp)
        f1.write(tmp)
      else: 
        break
1
2
3
4
5
6
7
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),1,1))>64 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),1,1))>96 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),1,1))>100 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),1,1))>101 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),2,1))>96 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
GET /vulnerabilities/sqli_blind/?id=2' AND ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM dvwa.flag_is_here ORDER BY flag LIMIT 0,1),2,1))>104 AND 'RCKM'='RCKM&Submit=Submit HTTP/1.1
......

0x2 取键

1
cat flag1 | awk -F ',' '{print $4}' | tail -n +2

0x3 取值

1
cat flag1 | awk -F '>' '{print $2}' | awk -F ' ' '{print $1}'

0x4 结果

取相同的键中最高的值再加1,也就是破解的ASCII对应的十进制值,将其转换成ASCII值即可

总结

本来想写一个完整的 python 脚本,把键和值放在 dict字典里,多次尝试无果,最后发现自己实在太菜了…… 🙁

This post is licensed under CC BY 4.0 by the author.