I I

Security/web

• [webhacking.kr] old-23 blind SQL injection

  Security/web 2021. 8. 18. 16:01

  https://webhacking.kr/challenge/bonus-1/index.php Challenge 21 webhacking.kr 문제 분석 id: admin, pw: admin => login fail id: admin, pw: asdf => login fail id: a, pw: a => login fail id: guest, pw: guest => login success id: guest, pw: a => login fail id: a, pw: guest => login fail id: guest, pw: 'or 1=1 => wrong password TRUE => wrong password, FALSE => login fail ID 찾기 id는 admin 일꺼라 생각하고 맨 첫글자가 a ..

  Read More
• [webhacking.kr] Challenge(old) 4

  Security/web 2021. 7. 31. 22:46

  문제 : https://webhacking.kr/challenge/web-04/ Challenge 4 ca3c516fd5f27d860245eb5c8f7ba1397b4ebd30 webhacking.kr view-source rand(10000000,99999999)."salt_for_you" 랜덤으로 10000000~99999999 사이의 수를 생성하고 salt_for_you 를 뒤에 붙인다. for($i=0;$i

  Read More
• [webhacking.kr] Challenge(old) 33

  Security/web 2021. 7. 31. 22:04

  문제 : https://webhacking.kr/challenge/bonus-6/ https://webhacking.kr/challenge/bonus-6/ webhacking.kr 33-1 view-source get방식으로 "hehe" 문자를 넘겨주면 다음으로 넘어갈 수 있나보다. >>> import requests >>> url = "https://webhacking.kr/challenge/bonus-6" >>> params = {"get":"hehe"} >>> r = requests.get(url, params=params) >>> r.text '\nChallenge 33-1 \nview-source\n\nNext\n' 33-2 view-source post 방식으로 "hehe", "hehe2"를 ..

  Read More
• [webhacking.kr] Challenge(old) 2

  Security/web 2021. 7. 28. 02:38

  문제 분석 접속 https://webhacking.kr/challenge/web-02/ https://webhacking.kr/challenge/web-02/admin.php webhacking.kr 개발자 도구 접속 https://webhacking.kr/challenge/web-02/admin.php sql injection?? time 쿠키 값을 바꾸어보았다. time : 1 time : 1=1 time : 1=2 blind sql injection을 하면 되겠다. blind sql injection 1. table 갯수 select count(table_name) from information_schema.tables where table_schema=database() 2 information_..

  Read More