volpino · October 18, 2015 14:04
diff --git a/crypto100.py b/crypto100.py
 import requests
 import string
 import random
 import urllib


 def xor(s1, s2):
    assert len(s1) == 16 and len(s2) == 16
    return "".join([chr(ord(s1[i]) ^ ord(s2[i])) for i in range(16)])


 url = "http://52.69.244.164:51913/"
 #url = "http://127.0.0.1:9292/"

 data = {
    "username": "a",
    "password": "a" * 31,
 }

 sess = requests.Session()
 res = sess.post(url, params=data)
 print res.text
 auth = sess.cookies['auth']
 print auth
 auth = urllib.unquote(auth)
 iv = auth[:16]
 block1 = auth[16:32]
 block2 = auth[32:48]
 block3 = auth[48:64]
 block4 = auth[64:80]
 block5 = auth[80:]

 block3 = xor(xor(block3, "a" * 16), '","admin":true,"')

 new_auth = iv + block1 + block2 + block3 + block4 + block5
 print len(new_auth)
 print urllib.quote(new_auth)
 res = requests.get(url, cookies={"auth": urllib.quote(new_auth)})
 print res.text
	import requests
	import string
	import random
	import urllib


	def xor(s1, s2):
	assert len(s1) == 16 and len(s2) == 16
	return "".join([chr(ord(s1[i]) ^ ord(s2[i])) for i in range(16)])


	url = "http://52.69.244.164:51913/"
	#url = "http://127.0.0.1:9292/"

	data = {
	"username": "a",
	"password": "a" * 31,
	}

	sess = requests.Session()
	res = sess.post(url, params=data)
	print res.text
	auth = sess.cookies['auth']
	print auth
	auth = urllib.unquote(auth)
	iv = auth[:16]
	block1 = auth[16:32]
	block2 = auth[32:48]
	block3 = auth[48:64]
	block4 = auth[64:80]
	block5 = auth[80:]

	block3 = xor(xor(block3, "a" * 16), '","admin":true,"')

	new_auth = iv + block1 + block2 + block3 + block4 + block5
	print len(new_auth)
	print urllib.quote(new_auth)
	res = requests.get(url, cookies={"auth": urllib.quote(new_auth)})
	print res.text