= sso =
前の文字列から次の文字のkeyが決まってxorされる感じ？

{{{#!highlight perl
use strict;
use warnings;
my $target = '{"User":"admin","Hash":"AA8K5.AZ9BzSw"} ';

my $info_url = 'http://188.40.18.87:5144/info.php?token=';

sub system_pipe {
    my @args = @_;
    open my $pipe, "-|", @args or return;
    my @result = <$pipe>;
    join "", @result;
}
sub info {
    my $token = shift;
    system_pipe qw(curl -s), $info_url.$token;
}

my $token = "69222e97316b9dd8f7d74a";
for my $i (length($token)/2 .. length($target)-1) {
    print "----------------\n";
    print "pos: $i\n";
    
    my $result0 = info($token . "00");
    printf "got: %02x\n", ord(substr($result0, $i, 1));
    my $key = substr($result0, $i, 1);
    
    $token .= unpack("H*", $key ^ substr($target, $i, 1));
    print "token: $token\n";
    print info($token . unpack("H*", $key ^ substr($target, $i, 1))), "\n";
    
    sleep 1;
}
print "token: $token\n";
}}}
得られたtokenでadmin.phpにアクセスするだけ。
{{{
31C3_7eaf3fa7cf9e401357bc
}}}

passwordとは一体なんだったのか