lbr77/README.md

## README.md

      
    Raw
  

              README.md
            
          
出题碎碎念：

想法来自群友的调侃：那是不是搞一个sqlmap risk3 level5然后抓包就能出题了？
嗯于是这道题出题时候的参数就是：python sqlmap.py -u "http://localhost:8080/login?usr=LiBr&pwd=11d188aa7daf1c0ef4744d33888fd0da" --risk 3 --level 5 --thread 8 --dump -T table（

出题人wp：
导出所有有用包之用python处理可以看到有效信息：

然后找到这个https://gist.github.com/lbr77/891f6326b8a0b5e1b6a4369c55de1b3a
写入zip文件，用密码LiBr解压发现是初音未来，英文名是HatsuneMiku，所以flag是SpiritGame{HatsuneMiku}
其实不用搓脚本解包似乎也行🤔
直接strings 找到可疑字符串然后直接能出。下次得再加密一层了（？

  
## exp.py
from json import loads

packets = loads(open("use.json",encoding="utf-8").read())

for packet in packets:
    print(bytes.fromhex(packet["_source"]["layers"]["http"]["http.file_data"].replace(":","")).decode("unicode_escape"))

## server.py
import sqlite3
import mysql.connector as mysqlconn
from urllib.parse import urlparse,parse_qs
from http.server import ThreadingHTTPServer,BaseHTTPRequestHandler
from json import dumps

DB_FILE='1.db'
SQL_SERVER_TUPLE = ("localhost", 4000)
SQL_USER = "root"
SQL_PASS = "123456"
SERVER_TUPLE = ("localhost", 8080)


class DB_Handler(BaseHTTPRequestHandler):
    def send_headers(self,code=200,content_type='application/json'):
        self.send_response(code)
        self.send_header('Content-type', content_type)
        self.end_headers()
    def do_GET(self):
        #db = sqlite3.connect(DB_FILE)
        db = mysqlconn.connect(username=SQL_USER, password=SQL_PASS,
                                host=SQL_SERVER_TUPLE[0],
                                port=SQL_SERVER_TUPLE[1],
                                database="table")
        cur = db.cursor()

        url = urlparse(self.path)
        path = url.path
        query = parse_qs(url.query)
        if path == "/login":
            try:
                usr = query.get('usr')[0]
                pwd = query.get('pwd')[0]
                cur.execute(f"SELECT username,permission,uid FROM user WHERE username='{usr}' AND password='{pwd}'")
                res = cur.fetchall()
                if res:
                    self.send_headers(200)
                    self.wfile.write(dumps({"status":"success","result": {
                        "username": res[0][0],
                        "permission": res[0][1],
                        "uid": res[0][2]
                    }}).encode())
                else:
                    self.send_headers(400)
                    self.wfile.write(dumps({{"status":"fail"}}).encode())
            except Exception as e:
                print(str(e))
                self.send_headers(400)
                self.wfile.write(dumps({"error": "Bad Request"}).encode())
        else:
            self.send_headers(404)
            self.wfile.write(dumps({"error": "Not Found"}).encode())

if __name__ == '__main__':
    srv = ThreadingHTTPServer(SERVER_TUPLE, DB_Handler)
    print(f"Server is running at {SERVER_TUPLE[0]}:{SERVER_TUPLE[1]}")
    srv.serve_forever()
	from json import loads

	packets = loads(open("use.json",encoding="utf-8").read())

	for packet in packets:
	print(bytes.fromhex(packet["_source"]["layers"]["http"]["http.file_data"].replace(":","")).decode("unicode_escape"))
	import sqlite3
	import mysql.connector as mysqlconn
	from urllib.parse import urlparse,parse_qs
	from http.server import ThreadingHTTPServer,BaseHTTPRequestHandler
	from json import dumps

	DB_FILE='1.db'
	SQL_SERVER_TUPLE = ("localhost", 4000)
	SQL_USER = "root"
	SQL_PASS = "123456"
	SERVER_TUPLE = ("localhost", 8080)



	class DB_Handler(BaseHTTPRequestHandler):
	def send_headers(self,code=200,content_type='application/json'):
	self.send_response(code)
	self.send_header('Content-type', content_type)
	self.end_headers()
	def do_GET(self):
	#db = sqlite3.connect(DB_FILE)
	db = mysqlconn.connect(username=SQL_USER, password=SQL_PASS,
	host=SQL_SERVER_TUPLE[0],
	port=SQL_SERVER_TUPLE[1],
	database="table")
	cur = db.cursor()

	url = urlparse(self.path)
	path = url.path
	query = parse_qs(url.query)
	if path == "/login":
	try:
	usr = query.get('usr')[0]
	pwd = query.get('pwd')[0]
	cur.execute(f"SELECT username,permission,uid FROM user WHERE username='{usr}' AND password='{pwd}'")
	res = cur.fetchall()
	if res:
	self.send_headers(200)
	self.wfile.write(dumps({"status":"success","result": {
	"username": res[0][0],
	"permission": res[0][1],
	"uid": res[0][2]
	}}).encode())
	else:
	self.send_headers(400)
	self.wfile.write(dumps({{"status":"fail"}}).encode())
	except Exception as e:
	print(str(e))
	self.send_headers(400)
	self.wfile.write(dumps({"error": "Bad Request"}).encode())
	else:
	self.send_headers(404)
	self.wfile.write(dumps({"error": "Not Found"}).encode())

	if __name__ == '__main__':
	srv = ThreadingHTTPServer(SERVER_TUPLE, DB_Handler)
	print(f"Server is running at {SERVER_TUPLE[0]}:{SERVER_TUPLE[1]}")
	srv.serve_forever()