Web injection tool (ASP + MSSQL) beta 3 final release

Source: evil baboons Information Security Team (www.eviloctal.com)

To tell the truth, I didn't want to send it again, because no one gave me any comments after I sent it out (I just wanted to give some suggestions or fix some bugs if I didn't need your comments ), previous posts have someCodeYes, there must be a problem, but I am so sad that I have never seen anyone raise these mistakes.
But when I first said it, an update was sent out. So I will release this final version, and I will not update it any more in the future. Do anyone with the ability want to add something for themselves? Isn't it all open source? This is the original code. If you don't know how to change it, it's your own business.
The final version has many features and many changes, so I am posting them separately. I hope that brother Bingbing will not blame me.
Some common functions are added:
1. Obtain database server information, including whether some extended storage is available (but sometimes it is not very accurate)
2. Obtain webshell through log backup
3. Differential backup for webshell
4. xp_dirtree column directory
5. Read the registry using xp_regread
6. Run the xp_cmdshell command.
7. Custom SQL statement execution

For example:
It should be noted that when you back up webshell, the "webshell absolute path" column fills in the absolute path of webshell, such as C:/inetpub/wwwroot/Mimi. asp.
When the webshell is backed up, the execution progress is displayed at the bottom of the page, and each statement is displayed. If there is red or blue, it indicates that the page is returned with an error (the returned status of the HTTP header is not 200), while the blue indicates that the returned status is normal (the HTTP header status is 200 ), however, after many tests, we found that even if the red message is returned, wbshell can back up the data normally, try it to see if it is successful.

ProgramThe running interface is as follows:

The following is captured when listing directories:

This is what gets server information:

In addition, in order to make this tool more practical, we make it not only for Cookie injection, but also for URL injection. For example, the specific method can take a good look at the instructions on the page.

Have you seen the figure above? There are two more urls: URL injection and cookie injection.

Finally, I would like to say a few more words, and BF asked me to play the next part. It has nothing to do with me: "The atmosphere of the Forum is not as good as before. Everyone is hiding it. Many people lived in their own homes before, every time I comment on a technology, I always point to the point. If I say a few deep desert tests in a vague way, I will discuss the technology. I am myself, too. I cannot feel at ease with my previous discussions, so I have to retire for the time being. However, I have always hoped to see some improvements in the forum, so I asked my daughter-in-law to adjust the atmosphere here. Of course, this atmosphere was not taken by myself. However, the atmosphere can be infected. I hope that the atmosphere she brings will infect everyone who once sought technology and restore the original atmosphere of the forum as soon as possible! "
PHP is quite good. Its function library is very huge, and there are a lot of functions you can't think of in PHP, so it is quite good to use it to write some practical tools, I hope that you will learn more than just a tool after reading this post.
Download:Http://201314.free.fr/attachments/200709/mika.rar