SpiritGame sqlshark writeup exp and server.

README.md

出题碎碎念：

想法来自群友的调侃：那是不是搞一个sqlmap risk3 level5然后抓包就能出题了？

嗯于是这道题出题时候的参数就是：python sqlmap.py -u "http://localhost:8080/login?usr=LiBr&pwd=11d188aa7daf1c0ef4744d33888fd0da" --risk 3 --level 5 --thread 8 --dump -T table（

出题人wp：

导出所有有用包之用python处理可以看到有效信息：

然后找到这个https://gist.github.com/lbr77/891f6326b8a0b5e1b6a4369c55de1b3a 写入zip文件，用密码LiBr解压发现是初音未来，英文名是HatsuneMiku，所以flag是SpiritGame{HatsuneMiku}

其实不用搓脚本解包似乎也行🤔

直接strings 找到可疑字符串然后直接能出。下次得再加密一层了（？

exp.py

from json import loads

packets = loads(open("use.json",encoding="utf-8").read())

for packet in packets:
    print(bytes.fromhex(packet["_source"]["layers"]["http"]["http.file_data"].replace(":","")).decode("unicode_escape"))

server.py

import sqlite3
import mysql.connector as mysqlconn
from urllib.parse import urlparse,parse_qs
from http.server import ThreadingHTTPServer,BaseHTTPRequestHandler
from json import dumps

DB_FILE='1.db'
SQL_SERVER_TUPLE = ("localhost", 4000)
SQL_USER = "root"
SQL_PASS = "123456"
SERVER_TUPLE = ("localhost", 8080)



class DB_Handler(BaseHTTPRequestHandler):
    def send_headers(self,code=200,content_type='application/json'):
        self.send_response(code)
        self.send_header('Content-type', content_type)
        self.end_headers()
    def do_GET(self):
        #db = sqlite3.connect(DB_FILE)
        db = mysqlconn.connect(username=SQL_USER, password=SQL_PASS, 
                                host=SQL_SERVER_TUPLE[0], 
                                port=SQL_SERVER_TUPLE[1],
                                database="table")
        cur = db.cursor()

        url = urlparse(self.path)
        path = url.path
        query = parse_qs(url.query)
        if path == "/login":
            try:
                usr = query.get('usr')[0]
                pwd = query.get('pwd')[0]
                cur.execute(f"SELECT username,permission,uid FROM user WHERE username='{usr}' AND password='{pwd}'")
                res = cur.fetchall()
                if res:
                    self.send_headers(200)
                    self.wfile.write(dumps({"status":"success","result": {
                        "username": res[0][0],
                        "permission": res[0][1],
                        "uid": res[0][2]
                    }}).encode())
                else:
                    self.send_headers(400)
                    self.wfile.write(dumps({{"status":"fail"}}).encode())
            except Exception as e:
                print(str(e))
                self.send_headers(400)
                self.wfile.write(dumps({"error": "Bad Request"}).encode())
        else:
            self.send_headers(404)
            self.wfile.write(dumps({"error": "Not Found"}).encode())

if __name__ == '__main__':
    srv = ThreadingHTTPServer(SERVER_TUPLE, DB_Handler)
    print(f"Server is running at {SERVER_TUPLE[0]}:{SERVER_TUPLE[1]}")
    srv.serve_forever()