当前位置: 首页 > news >正文

202509_NBWS_logbool

news 2025/9/20 19:20:43

Tags:流量分析,正则匹配,布尔盲注,pyshark,DASCTF

0x00. 题目

找到flag,格式为DASCTF{}

附件路径:https://pan.baidu.com/s/1GyH7kitkMYywGC9YJeQLJA?pwd=Zmxh#list/path=/CTF附件

附件名称:202509_NBWS_logbool.zip

0x01. WP

1. 分析流量结构

初筛http协议,发现大量SQL注入请求,初步判断为SQL注入流量复现

图片

从返回包来看,如果语句判断成立则会返回success关键词,反之则只显示语句

图片

重新浏览注入请求,发现只针对三个字段,分别是username,passwordcontent,那么只要解析其中一个也就能用同样脚本解析其他两个

2. 编写exp.py提取数据

使用过滤表达式(http.request.full_uri contains "username") && (tcp.srcport == 80)先对username的返回包进行筛选,并套用之前编写的通用脚本框架,提取请求数据request.full_uri和响应内容data-text-lines

import pyshark
import re
import urllib.parsestrTsharkPath = "D:\\=Green=\\Wireshark\\App\\Wireshark\\"
strCapPath = "logbool.pcapng"
# 分别筛选出username,password和content
strFomula='(http.request.full_uri contains  "username") && (tcp.srcport == 80)'cap= pyshark.FileCapture(strCapPath, display_filter=strFomula,tshark_path=strTsharkPath)# 协议结构分析开始
print("协议结构分析开始...")
i=0
for layer in cap[1].layers:print("第",i+1,"层:",layer.layer_name)print(layer.field_names)i+=1
print("协议结构分析完成。")
print("=" * 16)
sResult=[]for pkt in cap:intRequestNumber = pkt.numberprint("\r\tFrame Number: %s" % str(intRequestNumber), end="")for layer in pkt.layers:if layer.layer_name == "http":  # 指定协议层sURI=layer.get_field_value("request.full_uri")  #指定字段sURI=urllib.parse.unquote(sURI)print("request.full_uri: ",sURI)if layer.layer_name =="data-text-lines":print("data-text-lines: ",str(layer))

运行结果如下:

D:\=CTF缓存=\20250919_市信息中心竞赛\logbool>python exp.py
协议结构分析开始...
第 1 层: null
['family']
第 2 层: ip
['version', 'hdr_len', 'dsfield', 'dsfield_dscp', 'dsfield_ecn', 'len', 'id', 'flags', 'flags_rb', 'flags_df', 'flags_mf', 'frag_offset', 'ttl', 'proto', 'checksum', 'checksum_status', 'src', 'addr', 'src_host', 'host', 'dst', 'dst_host', 'stream']
第 3 层: tcp
['srcport', 'dstport', 'port', 'stream', 'stream_pnum', 'completeness', 'completeness_rst', 'completeness_fin', 'completeness_data', 'completeness_ack', 'completeness_syn_ack', 'completeness_syn', 'completeness_str', 'len', 'seq', 'seq_raw', 'nxtseq', 'ack', 'ack_raw', 'hdr_len', 'flags', 'flags_res', 'flags_ae', 'flags_cwr', 'flags_ece', 'flags_urg', 'flags_ack', 'flags_push', 'flags_reset', 'flags_syn', 'flags_fin', 'flags_str', 'window_size_value', 'window_size', 'window_size_scalefactor', 'checksum', 'checksum_status', 'urgent_pointer', '', 'time_relative', 'time_delta', 'analysis', 'analysis_initial_rtt', 'analysis_bytes_in_flight', 'analysis_push_bytes_sent', 'payload']
第 4 层: http
['', 'response_version', 'response_code', 'response_code_desc', 'response_phrase', 'server', 'response_line', 'date', 'content_type', 'transfer_encoding', 'connection', 'content_encoding', 'response', 'request_in', 'time', 'request_uri', 'request_full_uri', 'chunk_size', 'chunk_data', 'chunk_boundary', 'file_data']
第 5 层: data-text-lines
['']
协议结构分析完成。
================Frame Number: 108471
request.full_uri:  http://10.211.55.8/?id=1' AND ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM ctftest.ctfblob ORDER BY id LIMIT 0,1),1,1))>64 AND 'hiCz'='hiCz
data-text-lines:  Layer DATA-TEXT-LINES
:       SELECT * FROM ctfuser WHERE id='1' AND ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM ctftest.ctfblob ORDER BY id LIMIT 0,1),1,1))>64 AND 'hiCz'='hiCz' LIMIT 0,1</br></br>successFrame Number: 108512
request.full_uri:  http://10.211.55.8/?id=1' AND ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM ctftest.ctfblob ORDER BY id LIMIT 0,1),1,1))>96 AND 'hiCz'='hiCz
data-text-lines:  Layer DATA-TEXT-LINES
:       SELECT * FROM ctfuser WHERE id='1' AND ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM ctftest.ctfblob ORDER BY id LIMIT 0,1),1,1))>96 AND 'hiCz'='hiCz' LIMIT 0,1</br></br>successFrame Number: 108553
request.full_uri:  http://10.211.55.8/?id=1' AND ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM ctftest.ctfblob ORDER BY id LIMIT 0,1),1,1))>112 AND 'hiCz'='hiCz
data-text-lines:  Layer DATA-TEXT-LINES
:       SELECT * FROM ctfuser WHERE id='1' AND ORD(MID((SELECT IFNULL(CAST(username AS NCHAR),0x20) FROM ctftest.ctfblob ORDER BY id LIMIT 0,1),1,1))>112 AND 'hiCz'='hiCz' LIMIT 0,1</br></br>... ...

3. 增加正则匹配,根据返回包特征调整注入字符的ASCII值

提取SQL注入操作的字符索引和对应的ASCII值,当返回包中包含success内容时表示判断成立,即实际的ASCII=ASCII+1

调整exp.py

import pyshark
import re
import urllib.parsestrTsharkPath = "D:\\=Green=\\Wireshark\\App\\Wireshark\\"
strCapPath = "logbool.pcapng"
# 分别筛选出username,password和content
strFomula='(http.request.full_uri contains  "username") && (tcp.srcport == 80)'cap= pyshark.FileCapture(strCapPath, display_filter=strFomula,tshark_path=strTsharkPath)# 协议结构分析开始
print("协议结构分析开始...")
i=0
for layer in cap[1].layers:print("第",i+1,"层:",layer.layer_name)print(layer.field_names)i+=1
print("协议结构分析完成。")
print("=" * 16)
sResult=[]for pkt in cap:intRequestNumber = pkt.numberprint("\r\tFrame Number: %s" % str(intRequestNumber))for layer in pkt.layers:if layer.layer_name == "http":  # 指定协议层sURI=layer.get_field_value("request.full_uri")  #指定字段sURI=urllib.parse.unquote(sURI)print(sURI)# SELECT * FROM ctfuser WHERE id='1' AND ORD(MID((SELECT IFNULL(CAST(content AS NCHAR),0x20) FROM ctftest.ctfblob ORDER BY id LIMIT 0,1),60,1))>50 AND 'aOIj'='aOIj' LIMIT 0,1</br></br>success         sT=re.findall(rf'(.*?)LIMIT 0,1\),(.*?),1\)\)>(.*?) AND(.*?)',sURI)intIndex=int(sT[0][1])intASCII=int(sT[0][2])if len(sResult)<intIndex:sResult.append('')if layer.layer_name =="data-text-lines":print(str(layer))if "success" in str(layer):intASCII=intASCII+1sResult[intIndex-1]=chr(intASCII)print("".join(sResult))
print("\r")# boolblob

同理,修改过滤表达式为(http.request.full_uri contains "password") && (tcp.srcport == 80)'得到password内容为timeemitloggol

4. 修正脚本,获取content

修改过滤表达式为(http.request.full_uri contains "content") && (tcp.srcport == 80)'获取content内容时发现脚本报错

... ...Frame Number: 41340
http://10.211.55.8/?id=1' AND ORD(MID((SELECT IFNULL(CAST(content AS NCHAR),0x20) FROM ctftest.ctfblob ORDER BY id LIMIT 0,1),130,1)) ! = 53 AND 'aOIj'='aOIj
Traceback (most recent call last):File "D:\=CTF缓存=\20250919_市信息中心竞赛\logbool\exp.py", line 37, in <module>intIndex=int(sT[0][1])

出错语句提取的内容为!=而不是>,查看对应的请求和返回数据,仅仅是对某个字符爆破的过程请求,不影响最终结果,增加容错判断

... ...sT=re.findall(rf'(.*?)LIMIT 0,1\),(.*?),1\)\)>(.*?) AND(.*?)',sURI)# 如果正则未匹配到有效数据,忽略本次请求和响应if len(sT)<1:continueintIndex=int(sT[0][1])intASCII=int(sT[0][2])
... ...

最终得到content内容为
526172211a0701003392b5e50a01050600050101808000b2b1f3d65502033cb00004a80020a09ebf0280030008666c61672e747874300100030fedd6cdb8cc2535d8819161a4c7f5b2b05912735d7a3fd51074b03e4d9a68c5ec47766f7c7e9491369e1d8add0a0302eefeaba7a446d80100cf48e5373135a4b7de8993121c592e8c87743c2e8c0fffb766b53217f07acac40b55cf1db67923bea02a55299c54991d77565103050400

5.HEX导入文件,顺利获得flag

content内容导入十六进制编辑器发现头部特征为Rar!,另存为rar文件。

使用前期解析出来的password解压后得到flag为DASCTF{33c12355cd508de6b9b3676b97ece17e}

图片

图片

0x02. 总结

由于平时代码写得不多前后调试花了半个小时,作为一个线下赛题,整体来说还是做得酣畅淋漓

http://www.hskmm.com/?act=detail&tid=10971

相关文章:

  • Kubernetes权威指南-深入理解Pod Service
  • 详细介绍:jeecg-boot3.7.0对接钉钉登录(OAuth2.0)
  • C++编程软件 Dev-C++ 安装及使用流程
  • DLL植入漏洞分类与微软安全响应指南
  • 4980:拯救行动
  • java03-wxj
  • 题解:P13969 [VKOSHP 2024] Exchange and Deletion
  • 市场交易反心理特征之二:忽视热点切换的苗头
  • Linux服务器上安装配置GitLab的步骤
  • 贪心算法应用:投资组合再平衡问题详解 - 实践
  • MCP:Trae中集成Playwright 实现网页自动化测试
  • C语言中的字符、字符串及内存操作函数详细讲解
  • 06、訊息收集
  • 在Linux中设定账户密码的安全性策略
  • 精选 4 款基于 .NET 开源、功能强大的 Windows 系统优化工具,助力轻松提升 Windows 系统性能与使用体验!
  • MySQL 32 为什么还有kill不掉的语句?
  • Axure RP 9 Mac 交互原型设计 - 实践
  • 深入解析:rook-ceph自定义添加osd流程
  • 1789:算24
  • 流行的 3D 文件格式及其用途指南
  • CentOS7.9上安装MySQL8.4
  • 铁头山羊stm32-HAL库 - 实践
  • 2025CSP-S初赛游记
  • JBoltAI框架:企业级AI开发的革新路径与行业实践 - 那年-冬季
  • JBoltAI:重塑视频创作,开启零门槛智能混剪新时代 - 那年-冬季
  • 深入解析:手搓一个 DELL EMC Unity存储系统健康检查清单
  • Vscode + Latex指南
  • 线程池未争取关闭导致的一个bug
  • kafka创建topic
  • WPS 2025最新版EXE