SHARE
TWEET

Untitled

mage_1868 Oct 24th, 2014 (edited) 74 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. import re
  2. import urllib
  3. import urllib2
  4. import basin
  5. import base64
  6.  
  7. COOKIE = 'PHPSESSID=☆(ゝω・)v'
  8.  
  9. def get(url):
  10.     opener = urllib2.build_opener()
  11.     request = urllib2.Request(url)
  12.     request.add_header('Cookie', COOKIE)
  13.     response = opener.open(request)
  14.     return response
  15.  
  16. def post(url, param):
  17.     opener = urllib2.build_opener()
  18.     request = urllib2.Request(url, urllib.urlencode(param))
  19.     request.add_header('Cookie', COOKIE)
  20.     response = opener.open(request)
  21.     return response
  22.  
  23. def getSolution(js):
  24.     js = js.split(';')
  25.     varname = js[0][4:5]
  26.     result = {}
  27.  
  28.     for i in range(1, len(js)):
  29.         if js[i][0:3] != 'var':
  30.             continue
  31.  
  32.         if varname + '.createLinearGradient' in js[i]:
  33.             continue
  34.  
  35.         # expression
  36.         expression = js[i][6:]
  37.         order = ''
  38.  
  39.         for j in range(i + 1, i + 8):
  40.             matches = re.search('fillText\(\w+,(\d+),\d+\)', js[j])
  41.             if matches != None:
  42.                 order = matches.group(1)
  43.                 break
  44.  
  45.         matches = re.match('/(\w+)/\.source', expression)
  46.         if matches != None:
  47.             result[order] = matches.group(1)
  48.             continue
  49.  
  50.         matches = re.match('String\.fromCharCode\((\d+)\)', expression)
  51.         if matches != None:
  52.             result[order] = chr(int(matches.group(1)))
  53.             continue
  54.  
  55.         matches = re.match('\(\'\'\+\!1\)\[(\d+)\]', expression)
  56.         if matches != None:
  57.             result[order] = 'false'[int(matches.group(1))]
  58.             continue
  59.  
  60.         matches = re.match('\(\'\'\+\!0\)\[(\d+)\]', expression)
  61.         if matches != None:
  62.             result[order] = 'true'[int(matches.group(1))]
  63.             continue
  64.  
  65.         matches = re.match('\(\[\]\[\+\[\]\]\+""\)\[(\d+)\]', expression)
  66.         if matches != None:
  67.             result[order] = 'undefined'[int(matches.group(1))]
  68.             continue
  69.  
  70.         matches = re.match('\(\[\]\+\{\}\)\[(\d+)\]', expression)
  71.         if matches != None:
  72.             result[order] = '[object Object]'[int(matches.group(1))]
  73.             continue
  74.  
  75.         matches = re.match('\((\d+)\)\.toString\(36\)', expression)
  76.         if matches != None:
  77.             result[order] = basin.encode("0123456789abcdefghijklmnopqrstuvwxyz", int(matches.group(1)))
  78.             continue
  79.  
  80.         matches = re.match('atob\(\'([a-zA-Z0-9\=]+)\'\)', expression)
  81.         if matches != None:
  82.             result[order] = base64.b64decode(matches.group(1))
  83.             continue
  84.  
  85.         matches = re.match('location\.pathname\[(\d+)\]', expression)
  86.         if matches != None:
  87.             result[order] = '/index.php'[int(matches.group(1))]
  88.             continue
  89.  
  90.         print expression
  91.  
  92.     solution = ''
  93.     for key in sorted(map(int, result.keys())):
  94.         solution += result[str(key)]
  95.  
  96.     return solution
  97.  
  98. if __name__ == '__main__':
  99.     output = open('result.html', 'wb')
  100.     body = get('https://wildwildweb.fluxfingers.net:1422/').read()
  101.  
  102.     for i in range(10):
  103.         matches = re.search('<script>(.*?)</script>', body)
  104.         solution = getSolution(matches.group(1))
  105.  
  106.         body = post('https://wildwildweb.fluxfingers.net:1422/index.php', {'solution': solution}).read()
  107.         output.write(body)
  108.  
  109.         state = re.search('<p class=\'(?:pos|neg)\'>(.*?)</p>', body).group(1)
  110.         print state
  111.  
  112.         if state == 'Code VALID !':
  113.             matches = re.search('\?login\=(\w+)', body)
  114.             open('login.html', 'wb').write(get('https://wildwildweb.fluxfingers.net:1422/index.php?login=' + matches.group(1)).read())
RAW Paste Data
Top